To minimize the possibility of introducing vulnerabilities in source code, software developers ma... more To minimize the possibility of introducing vulnerabilities in source code, software developers may attend security awareness and secure coding training. From the various approaches of how to raise awareness and adherence to coding standards, one promising novel approach is Cybersecurity Challenges. However, in an industrial setting, time is a precious resource, and, therefore, one needs to understand how to optimize the gaming experience of Cybersecurity Challenges and the effect of this game on secure coding skills. This work identifies the time spent solving challenges of different categories, analyzes gaming strategies in terms of a slow and fast team profile, and relates these profiles to the game success. First results indicate that the slow strategy is more successful than the fast approach. The authors also analyze the possible implications in the design and the training of secure coding in an industrial setting by means of Cybersecurity Challenges. This work concludes with a...
Awareness of cybersecurity topics facilitates software developers to produce secure code. This aw... more Awareness of cybersecurity topics facilitates software developers to produce secure code. This awareness is especially important in industrial environments for the products and services in critical infrastructures. In this work, we address how to raise awareness of software developers on the topic of secure coding. We propose the ”CyberSecurity Challenges”, a serious game designed to be used in an industrial environment and address software developers’ needs. Our work distills the experience gained in conducting these CyberSecurity Challenges in an industrial setting. The main contributions are the design of the CyberSecurity Challenges events, the analysis of the perceived benefits, and practical advice for practitioners who wish to design or refine these games.
Die Sicherheit kritischer Infrastrukturen wird als Selbstverständlichkeit angesehen: Wirkliche Pr... more Die Sicherheit kritischer Infrastrukturen wird als Selbstverständlichkeit angesehen: Wirkliche Probleme, wie häufige Stromausfälle, unrichtige Daten oder Lieferengpässe, kennt man eher aus anderen Ländern und die Gefahren des Cyber raums erscheinen im Vergleich unwirklich. Wie verwundbar sind kritische Infrastrukturen gegenüber Cyberbedrohungen?
Security in critical infrastructures is a highly relevant topic and as the level of security of c... more Security in critical infrastructures is a highly relevant topic and as the level of security of critical infrastructures needs to be increased the need for adequate methods and tools is apparent. “Processes and their properties” is the analysis perspective through which we revisit empirical data from our research on critical infrastructures to identify future research directions in security.
Command and Control teams in modern military and disaster response organizations work often synch... more Command and Control teams in modern military and disaster response organizations work often synchronously and are ad-hoc. We explore communication and performance of synchronous ad-hoc teams in an exploratory experiment study utilizing the team-shooter Battlefield 2 as experiment platform. We identify communication content aspects and communication patterns as the rhythm how communication deals with either the team or with enemy that differ in successful and unsuccessful teams. Introduction Today’s military and disaster response operations are complex and demand agile organization (Alberts and Hayes 2007; SAS-065 2009). Current scenarios require collaborating organizations to meet mission complexity. This mission complexity calls for new C2 approaches as e.g., Power to the Edge (Alberts and Hayes 2003) based on close collaboration of entities. One concept—command and control teams (C2 teams)—is considered to be purposeful to organize collaboration (Salas et al. 2001; Essens et al. 2...
Im Rahmen des Deutsch-Österreichischen Forschungsprojekts NutriSafe (Sicherheit in der Lebensmitt... more Im Rahmen des Deutsch-Österreichischen Forschungsprojekts NutriSafe (Sicherheit in der Lebensmittelproduktion und -logistik durch die Distributed-Ledger-Technologie) wurde eine Analyse zur Identifikation von relevanten Schwachstellen und Angriffsketten in Wertschöpfungsketten von Lebensmitteln durchgeführt. Die vorliegende Arbeit beschreibt die Analyse der IT-Infrastrukturen von fiktiven, aber der Realität nachempfundenen Akteuren der Wertschöpfungskette, basierend auf einem der Szenarien des NutriSafe-Projekts. Ergebnisse sind Beziehungen von Gefährdungen zu IT-Infrastrukturen und Modelle von Angriffsketten in Form von Attack Trees.
Distributed Computing and Internet Technology, 2018
IT security in critical infrastructures is one of the main challenges in informatics today. This ... more IT security in critical infrastructures is one of the main challenges in informatics today. This contribution shares results and experiences from the research project VeSiKi. The discussion begins with the human factor in cybersecurity, with economic and strategic approaches to cybersecurity and presents selected results form a case study series on Cybersecurity and an eclectic summary of results from a Cybersecurity research program.
An object-oriented model of an airport has been developed to assess the parallel object-oriented ... more An object-oriented model of an airport has been developed to assess the parallel object-oriented speci#cation language Maude. The model includes airplanes, gates, baggage handling, ground control and tower and has been implemented on the OBJ3 system, which serves as a rudimentary interpreter for Maude. We discuss twoways of specifying objects and present two notions of behavioral re#nement in Maude.
Over the last decade the speed at which knowledge is generated has greatly accelerated, thus exac... more Over the last decade the speed at which knowledge is generated has greatly accelerated, thus exacerbating the problem of finding the right information at the right time and posing new kinds of challenges to the management of an ever increasing pool of knowledge. Taking up the ideas of the ancient Greek concept of Academia, the “NetAcademy” is aiming at providing a knowledge medium to aid in the creation, integration, reviewing and dissemination of domain-specific knowledge in the scientific community ...
This report documents the program and the outcomes of Dagstuhl Seminar 13041 “Civilian Crisis Res... more This report documents the program and the outcomes of Dagstuhl Seminar 13041 “Civilian Crisis Response Models”. The vulnerability of modern societies to the threats of man made and natural disaster increases and scale and number of disasters are expected to rise. The earthquakes of Haiti with its subsequent Cholera epidemics, the natural disasters in Pakistan as well as the ongoing situation in Japan illustrate the need for effective and efficient crisis and disaster response organizations as well as humanitarian aid organizations in developing and first world countries. Disaster preparedness is a key to effectiveness and efficiency in case of crisis or disaster – but we observe that natural and human disasters are too often beyond what is being planned for. There is a need for new and better approaches in disaster and crises response and humanitarian aid. There is a need for well designed systems as well as for models, methods, instruments and tools for analysis and decision making...
Today, many products and solutions are provided on the cloud; however, the amount and financial l... more Today, many products and solutions are provided on the cloud; however, the amount and financial losses due to cloud security incidents illustrate the critical need to do more to protect cloud assets adequately. A gap lies in transferring what cloud and security standards recommend and require to industry practitioners working in the front line. It is of paramount importance to raise awareness about cloud security of these industrial practitioners. Under the guidance of design science paradigm, we introduce a serious game to help participants understand the inherent risks, understand the different roles, and encourage proactive defensive thinking in defending cloud assets. In our game, we designed and implemented an automated evaluator as a novel element. We invite the players to build defense plans and attack plans for which the evaluator calculates success likelihoods. The primary target group is industry practitioners, whereas people with limited background knowledge about cloud s...
Secure coding guidelines are essential material used to train and raise awareness of software dev... more Secure coding guidelines are essential material used to train and raise awareness of software developers on the topic of secure software development. In industrial environments, since developer time is costly, and training and education is part of non-productive hours, it is important to address and stress the most important topics first. In this work, we devise a method, based on publicly available real-world vulnerability databases and secure coding guideline databases, to rank important secure coding guidelines based on defined industry-relevant metrics. The goal is to define priorities for a teaching curriculum on raising cybersecurity awareness of software developers on secure coding guidelines. Furthermore, we do a small comparison study by asking computer science students from university on how they rank the importance of secure coding guidelines and compare the outcome to our results.
2021 International Conference on Code Quality (ICCQ), 2021
Security bugs are errors in code that, when exploited, can lead to serious software vulnerabiliti... more Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers' awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia...
Cybersecurity vulnerabilities in industrial control systems have been steadily increasing over th... more Cybersecurity vulnerabilities in industrial control systems have been steadily increasing over the last few years. One possible way to address this issue is through raising the awareness (through education) of software developers, with the intent to increase software quality and reduce the number of vulnerabilities. CyberSecurity Challenges (CSCs) are a novel serious game genre that aims to raise industrial software developers’ awareness of secure coding, secure coding guidelines, and secure coding best practices. An important industry-specific requirement to consider in designing these kinds of games is related to the whole event’s duration and how much time it takes to solve each challenge individually—the challenge solve time. In this work, we present two different methods to compute the challenge solve time: one method based on data collected from the CSC dashboard and another method based on a challenge heartbeat. The results obtained by both methods are presented; both methods...
To minimize the possibility of introducing vulnerabilities in source code, software developers ma... more To minimize the possibility of introducing vulnerabilities in source code, software developers may attend security awareness and secure coding training. From the various approaches of how to raise awareness and adherence to coding standards, one promising novel approach is Cybersecurity Challenges. However, in an industrial setting, time is a precious resource, and, therefore, one needs to understand how to optimize the gaming experience of Cybersecurity Challenges and the effect of this game on secure coding skills. This work identifies the time spent solving challenges of different categories, analyzes gaming strategies in terms of a slow and fast team profile, and relates these profiles to the game success. First results indicate that the slow strategy is more successful than the fast approach. The authors also analyze the possible implications in the design and the training of secure coding in an industrial setting by means of Cybersecurity Challenges. This work concludes with a...
Awareness of cybersecurity topics facilitates software developers to produce secure code. This aw... more Awareness of cybersecurity topics facilitates software developers to produce secure code. This awareness is especially important in industrial environments for the products and services in critical infrastructures. In this work, we address how to raise awareness of software developers on the topic of secure coding. We propose the ”CyberSecurity Challenges”, a serious game designed to be used in an industrial environment and address software developers’ needs. Our work distills the experience gained in conducting these CyberSecurity Challenges in an industrial setting. The main contributions are the design of the CyberSecurity Challenges events, the analysis of the perceived benefits, and practical advice for practitioners who wish to design or refine these games.
Die Sicherheit kritischer Infrastrukturen wird als Selbstverständlichkeit angesehen: Wirkliche Pr... more Die Sicherheit kritischer Infrastrukturen wird als Selbstverständlichkeit angesehen: Wirkliche Probleme, wie häufige Stromausfälle, unrichtige Daten oder Lieferengpässe, kennt man eher aus anderen Ländern und die Gefahren des Cyber raums erscheinen im Vergleich unwirklich. Wie verwundbar sind kritische Infrastrukturen gegenüber Cyberbedrohungen?
Security in critical infrastructures is a highly relevant topic and as the level of security of c... more Security in critical infrastructures is a highly relevant topic and as the level of security of critical infrastructures needs to be increased the need for adequate methods and tools is apparent. “Processes and their properties” is the analysis perspective through which we revisit empirical data from our research on critical infrastructures to identify future research directions in security.
Command and Control teams in modern military and disaster response organizations work often synch... more Command and Control teams in modern military and disaster response organizations work often synchronously and are ad-hoc. We explore communication and performance of synchronous ad-hoc teams in an exploratory experiment study utilizing the team-shooter Battlefield 2 as experiment platform. We identify communication content aspects and communication patterns as the rhythm how communication deals with either the team or with enemy that differ in successful and unsuccessful teams. Introduction Today’s military and disaster response operations are complex and demand agile organization (Alberts and Hayes 2007; SAS-065 2009). Current scenarios require collaborating organizations to meet mission complexity. This mission complexity calls for new C2 approaches as e.g., Power to the Edge (Alberts and Hayes 2003) based on close collaboration of entities. One concept—command and control teams (C2 teams)—is considered to be purposeful to organize collaboration (Salas et al. 2001; Essens et al. 2...
Im Rahmen des Deutsch-Österreichischen Forschungsprojekts NutriSafe (Sicherheit in der Lebensmitt... more Im Rahmen des Deutsch-Österreichischen Forschungsprojekts NutriSafe (Sicherheit in der Lebensmittelproduktion und -logistik durch die Distributed-Ledger-Technologie) wurde eine Analyse zur Identifikation von relevanten Schwachstellen und Angriffsketten in Wertschöpfungsketten von Lebensmitteln durchgeführt. Die vorliegende Arbeit beschreibt die Analyse der IT-Infrastrukturen von fiktiven, aber der Realität nachempfundenen Akteuren der Wertschöpfungskette, basierend auf einem der Szenarien des NutriSafe-Projekts. Ergebnisse sind Beziehungen von Gefährdungen zu IT-Infrastrukturen und Modelle von Angriffsketten in Form von Attack Trees.
Distributed Computing and Internet Technology, 2018
IT security in critical infrastructures is one of the main challenges in informatics today. This ... more IT security in critical infrastructures is one of the main challenges in informatics today. This contribution shares results and experiences from the research project VeSiKi. The discussion begins with the human factor in cybersecurity, with economic and strategic approaches to cybersecurity and presents selected results form a case study series on Cybersecurity and an eclectic summary of results from a Cybersecurity research program.
An object-oriented model of an airport has been developed to assess the parallel object-oriented ... more An object-oriented model of an airport has been developed to assess the parallel object-oriented speci#cation language Maude. The model includes airplanes, gates, baggage handling, ground control and tower and has been implemented on the OBJ3 system, which serves as a rudimentary interpreter for Maude. We discuss twoways of specifying objects and present two notions of behavioral re#nement in Maude.
Over the last decade the speed at which knowledge is generated has greatly accelerated, thus exac... more Over the last decade the speed at which knowledge is generated has greatly accelerated, thus exacerbating the problem of finding the right information at the right time and posing new kinds of challenges to the management of an ever increasing pool of knowledge. Taking up the ideas of the ancient Greek concept of Academia, the “NetAcademy” is aiming at providing a knowledge medium to aid in the creation, integration, reviewing and dissemination of domain-specific knowledge in the scientific community ...
This report documents the program and the outcomes of Dagstuhl Seminar 13041 “Civilian Crisis Res... more This report documents the program and the outcomes of Dagstuhl Seminar 13041 “Civilian Crisis Response Models”. The vulnerability of modern societies to the threats of man made and natural disaster increases and scale and number of disasters are expected to rise. The earthquakes of Haiti with its subsequent Cholera epidemics, the natural disasters in Pakistan as well as the ongoing situation in Japan illustrate the need for effective and efficient crisis and disaster response organizations as well as humanitarian aid organizations in developing and first world countries. Disaster preparedness is a key to effectiveness and efficiency in case of crisis or disaster – but we observe that natural and human disasters are too often beyond what is being planned for. There is a need for new and better approaches in disaster and crises response and humanitarian aid. There is a need for well designed systems as well as for models, methods, instruments and tools for analysis and decision making...
Today, many products and solutions are provided on the cloud; however, the amount and financial l... more Today, many products and solutions are provided on the cloud; however, the amount and financial losses due to cloud security incidents illustrate the critical need to do more to protect cloud assets adequately. A gap lies in transferring what cloud and security standards recommend and require to industry practitioners working in the front line. It is of paramount importance to raise awareness about cloud security of these industrial practitioners. Under the guidance of design science paradigm, we introduce a serious game to help participants understand the inherent risks, understand the different roles, and encourage proactive defensive thinking in defending cloud assets. In our game, we designed and implemented an automated evaluator as a novel element. We invite the players to build defense plans and attack plans for which the evaluator calculates success likelihoods. The primary target group is industry practitioners, whereas people with limited background knowledge about cloud s...
Secure coding guidelines are essential material used to train and raise awareness of software dev... more Secure coding guidelines are essential material used to train and raise awareness of software developers on the topic of secure software development. In industrial environments, since developer time is costly, and training and education is part of non-productive hours, it is important to address and stress the most important topics first. In this work, we devise a method, based on publicly available real-world vulnerability databases and secure coding guideline databases, to rank important secure coding guidelines based on defined industry-relevant metrics. The goal is to define priorities for a teaching curriculum on raising cybersecurity awareness of software developers on secure coding guidelines. Furthermore, we do a small comparison study by asking computer science students from university on how they rank the importance of secure coding guidelines and compare the outcome to our results.
2021 International Conference on Code Quality (ICCQ), 2021
Security bugs are errors in code that, when exploited, can lead to serious software vulnerabiliti... more Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers' awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia...
Cybersecurity vulnerabilities in industrial control systems have been steadily increasing over th... more Cybersecurity vulnerabilities in industrial control systems have been steadily increasing over the last few years. One possible way to address this issue is through raising the awareness (through education) of software developers, with the intent to increase software quality and reduce the number of vulnerabilities. CyberSecurity Challenges (CSCs) are a novel serious game genre that aims to raise industrial software developers’ awareness of secure coding, secure coding guidelines, and secure coding best practices. An important industry-specific requirement to consider in designing these kinds of games is related to the whole event’s duration and how much time it takes to solve each challenge individually—the challenge solve time. In this work, we present two different methods to compute the challenge solve time: one method based on data collected from the CSC dashboard and another method based on a challenge heartbeat. The results obtained by both methods are presented; both methods...
Uploads
Papers by Ulrike Lechner