Digital Commons Network^™

Intelligent Building Systems: Security And Facility Professionals’ Understanding Of System Threats,Vulnerabilities And Mitigation Practice, David J. Brooks, Michael Coole, Paul Haskell-Dowland

Research outputs 2014 to 2021

Intelligent Buildings or Building Automation and Control Systems (BACS) are becoming common in buildings, driven by the commercial need for functionality, sharing of information, reduced costs and sustainable buildings. The facility manager often has BACS responsibility; however, their focus is generally not on BACS security. Nevertheless, if a BACS-manifested threat is realised, the impact to a building can be significant, through denial, loss or manipulation of the building and its services, resulting in loss of information or occupancy. Therefore, this study garnered a descriptive understanding of security and facility professionals’ knowledge of BACS, including vulnerabilities and mitigation practices. Results indicate …

The Design And Evaluation Of A User-Centric Information Security Risk Assessment And Response Framework, Manal Alohali, Nathan Clarke, Steven Furnell

Research outputs 2014 to 2021

Abstract: The risk of sensitive information disclosure and modification through the use of online services has increased considerably and may result in significant damage. As the management and assessment of such risks is a well-known discipline for organizations, it is a challenge for users from the general public. Users have difficulties in using, understanding and reacting to security-related threats. Moreover, users only try to protect themselves from risks salient to them. Motivated by the lack of risk assessment solutions and limited impact of awareness programs tailored for users of the general public, this paper aims to develop a structured approach …

A Privacy Gap Around The Internet Of Things For Open-Source Projects, Brian Cusack, Reza Khaleghparast

Australian Information Security Management Conference

The Internet of Things (IoT) is having a more important role in the everyday lives of people. The distribution of connectivity across social and personal interaction discloses personalised information and gives access to a sphere of sensitivities that were previously masked. Privacy measures and security to protect personal sensitivities are weak and in their infancy. In this paper we review the issue of privacy in the context of IoT open-source projects, and the IoT security concerns. A proposal is made to create a privacy bubble around the interoperability of devices and systems and a filter layer to mitigate the exploitation …

Evaluating Small Drone Surveillance Capabilities To Enhance Traffic Conformance Intelligence, Brian Cusack, Reza Khaleghparast

Australian Security and Intelligence Conference

The availability of cheap small physical drones that fly around and have a variety of visual and sensor networks attached invites investigation for work applications. In this research we assess the capability of a set of commercially available drones (VTOL) that cost less than $1000 (Cheap is a relative term and we consider anything less than $5000 relatively cheap). The assessment reviews the capability to provide secure and safe motor vehicle surveillance for conformance intelligence. The evaluation was conducted by initially estimating a set of requirements that would satisfy an ideal surveillance situation and then by comparing a sample of …

Creating An Operational Security Management Structure For Inimical Environments: Papua New Guinea As A Case Study, William J. Bailey

Australian Security and Intelligence Conference

Security is a necessary cost for businesses wishing to operate in the developing economy of Papua New Guinea. The country continues to face levels of crime and violence out of proportion to other East Asian countries; which deters many would be investors. However, the potential in PNG is vast and eagerly sought after despite the high costs required to operate without harm, therefore, it is necessary manage the security situation. Experience from similar countries has shown by using optimal security management systems and structures it is possible to work safely, securely and effectively, but this requires a comprehensive security, threat …

Cybersecurity Vulnerabilities In Medical Devices: A Complex Environment And Multifaceted Problem, Patricia A.H. Williams, Andrew J. Woodward

Research outputs 2014 to 2021

The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. For the prevention of cybersecurity incidents, it is important to recognize the complexity of the operational environment as well as to catalog the technical vulnerabilities. Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. A review of the factors that contribute to such a potentially insecure environment, together with the identification of the vulnerabilities, is important for understanding why these vulnerabilities persist and what the solution space should look like. This …

Judging Dread: A Quantitative Investigation Of Affect, Psychometric Dread And Risk Consequence, Melvyn Griffiths

Theses: Doctorates and Masters

Risk is generally understood as a product of the likelihood and consequence of an event. However, the way in which estimations of consequences are formed is unclear due to the complexities of human perception. In particular, the influence of Affect, defined as positive or negative qualities subjectively assigned to stimuli, may skew risk consequence judgements. Thus a clearer understanding of the role of Affect in risk consequence estimations has significant implications for risk management, risk communication and policy formulation.

In the Psychometric tradition of risk perception, Affect has become almost synonymous with the concept of Dread, despite Dread being measured …

Identifying Bugs In Digital Forensic Tools, Brian Cusack, Alain Homewood

Australian Digital Forensics Conference

Bugs can be found in all code and the consequences are usually managed through upgrade releases, patches, and restarting operating systems and applications. However, in mission critical systems complete fall over systems are built to assure service continuity. In our research we asked the question, what are the professional risks of bugs in digital forensic tools? Our investigation reviewed three high use professional proprietary digital forensic tools, one in which we identified six bugs and evaluated these bug in terms of potential impacts on an investigator’s work. The findings show that yes major brand name digital forensic tools have software …

Intelligence Analysis And Threat Assessment: Towards A More Comprehensive Model Of Threat, Charles Vandepeer

Australian Security and Intelligence Conference

A central focus of intelligence is the identification, analysis and assessment of threat. However, as acknowledged by intelligence practitioners, threat assessment lags behind the related field of risk assessment. This paper highlights how definitions of threat currently favoured by intelligence agencies are primarily based on threatening entities alone. Consequently, assessments of threat are almost singularly concerned with understanding an identified enemy’s intentions and capabilities. This ‘enemy-centric’ approach to intelligence analysis has recently come in for criticism. In particular, the shortcomings of the current approach become apparent where the focus of intelligence analysis is on threats from difficult-to-identify sub-state or non-state …

Terrorism In Australia: A Psychometric Study Into The Western Australian Public Perception Of Terrorism, Richard Sargent, David J. Brooks

Australian Security and Intelligence Conference

Terrorism is not a new concept, as historically terrorist organisations have used the threat of violence or actual violence to generate fear in individuals, organisations and governments alike. Fear is a weapon and is used to gain political, ideological or religious objectives. Past terrorist attacks have raised concerns around the world, as governments ensured that their anti-terrorism security strategies are adequate. Domestically, Australia upgraded its capacity to respond to terrorism events through security enhancements across many areas and with new initiatives such as the 2002 public counter terrorism campaign. Nevertheless, there has been restricted research into how terrorist events have …

Success Of Agile Environment In Complex Projects, Abbass Ghanbary, Julian Day

Australian Information Warfare and Security Conference

This paper discusses the impact of agile methodology in complex and modular interrelated projects based on the authors’ practical experience and observations. With the advancement of Web technologies and complex computer systems, business applications are able to transcend boundaries in order to fully meet business requirements and comply with the legislation, policies and procedures. The success of software development as well as software deployment of these complex applications is dependent upon the employed methodology and project management. This is so because employed methodology plays an important position in capturing and modeling of business requirements and project management helps to ensure …

Securing Voip: A Framework To Mitigate Or Manage Risks, Peter James, Andrew Woodward

Australian Information Security Management Conference

In Australia, the past few years have seen Voice over IP (VoIP) move from a niche communications medium used by organisations with the appropriate infrastructure and capabilities to a technology that is available to any one with a good broadband connection. Driven by low cost and no cost phone calls, easy to use VoIP clients and increasingly reliable connections, VoIP is replacing the Public Switch Telephone Network (PSTN) in a growing number of households. VoIP adoption appears to be following a similar path to early Internet adoption, namely little awareness by users of the security implications. Lack of concern about …

The Information Security Ownership Question In Iso/Iec 27001 – An Implementation, Lizzie Coles-Kemp, Richard E. Overill

Australian Information Security Management Conference

The information security management standard ISO/IEC 27001 is built on the notion that information security is driven by risk assessment and risk treatment. Fundamental to the success of risk assessment and treatment is the decision making process that takes risk assessment output and assigns decisions to this output in terms of risk treatment actions. It is argued that the effectiveness of the management system lies in its ability to make effective, easytoimplement and measurable decisions. One of the key issues in decision making is ownership. In this paper two aspects of information security ownership are considered: ownership of the asset …

Mapping The Consensual Knowledge Of Security Risk Management Experts, David J. Brooks

Australian Information Warfare and Security Conference

The security industry comprises of diverse and multidisciplined practitioners, originating from many disciplines. It has been suggested that the industry has an undefined knowledge structure, although security experts contain a rich knowledge structure. There has also been limited research mapping security expert knowledge structure, reducing the ability of tertiary educators to provide industry focused teaching and learning. The study utilized multidimensional scaling (MDS) and expert interviews to map the consensual knowledge structure of security experts in their understanding of security risk. Security risk concepts were extracted and critiqued from West Australian university courses. Linguistic analysis categorised the more utilized security …