[{"abstract":[{"lang":"eng","text":"Wettstreit zwischen der Entwicklung neuer Hardwaretrojaner und entsprechender Gegenmaßnahmen beschreiten Widersacher immer raffiniertere Wege um Schaltungsentwürfe zu infizieren und dabei selbst fortgeschrittene Test- und Verifikationsmethoden zu überlisten. Abgesehen von den konventionellen Methoden um einen Trojaner in eine Schaltung für ein Field-programmable Gate Array (FPGA) einzuschleusen, können auch die Entwurfswerkzeuge heimlich kompromittiert werden um einen Angreifer dabei zu unterstützen einen erfolgreichen Angriff durchzuführen, der zum Beispiel Fehlfunktionen oder ungewollte Informationsabflüsse bewirken kann. Diese Dissertation beschäftigt sich hauptsächlich mit den beiden Blickwinkeln auf Hardwaretrojaner in rekonfigurierbaren Systemen, einerseits der Perspektive des Verteidigers mit einer Methode zur Erkennung von Trojanern auf der Bitstromebene, und andererseits derjenigen des Angreifers mit einer neuartigen Angriffsmethode für FPGA Trojaner. Für die Verteidigung gegen den Trojaner ``Heimtückische LUT'' stellen wir die allererste erfolgreiche Gegenmaßnahme vor, die durch Verifikation mittels Proof-carrying Hardware (PCH) auf der Bitstromebene direkt vor der Konfiguration der Hardware angewendet werden kann, und präsentieren ein vollständiges Schema für den Entwurf und die Verifikation von Schaltungen für iCE40 FPGAs. Für die Gegenseite führen wir einen neuen Angriff ein, welcher bösartiges Routing im eingefügten Trojaner ausnutzt um selbst im fertigen Bitstrom in einem inaktiven Zustand zu verbleiben: Hierdurch kann dieser neuartige Angriff zur Zeit weder von herkömmlichen Test- und Verifikationsmethoden, noch von unserer vorher vorgestellten Verifikation auf der Bitstromebene entdeckt werden."},{"text":"The battle of developing hardware Trojans and corresponding countermeasures has taken adversaries towards ingenious ways of compromising hardware designs by circumventing even advanced testing and verification methods. Besides conventional methods of inserting Trojans into a design by a malicious entity, the design flow for field-programmable gate arrays (FPGAs) can also be surreptitiously compromised to assist the attacker to perform a successful malfunctioning or information leakage attack. This thesis mainly focuses on the two aspects of hardware Trojans in reconfigurable systems, the defenders perspective which corresponds to the bitstream-level Trojan detection technique, and the attackers perspective which corresponds to a novel FPGA Trojan attack. From the defender's perspective, we introduce a first-ever successful pre-configuration countermeasure against the ``Malicious LUT''-hardware Trojan, by employing bitstream-level Proof-Carrying Hardware (PCH) and present the complete design-and-verification flow for iCE40 FPGAs. Likewise, from an attackers perspective, we present a novel attack that leverages malicious routing of the inserted Trojan circuit to acquire a dormant state even in the generated and transmitted bitstream. Since the Trojan is injected in a post-synthesis step and remains unconnected in the bitstream, the presented attack can currently neither be prevented by conventional testing and verification methods nor by bitstream-level verification techniques.","lang":"eng"}],"user_id":"477","ddc":["004"],"keyword":["FPGA Security","Hardware Trojans","Bitstream-level Trojans","Bitstream Verification"],"publisher":" Paderborn University, Paderborn, Germany","author":[{"first_name":"Qazi Arbab","orcid":"0000-0002-1837-2254","full_name":"Ahmed, Qazi Arbab","last_name":"Ahmed","id":"72764"}],"date_created":"2022-02-07T14:02:36Z","has_accepted_license":"1","status":"public","_id":"29769","main_file_link":[{"open_access":"1","url":"\turn:nbn:de:hbz:466:2-40303"}],"supervisor":[{"last_name":"Platzner","id":"398","first_name":"Marco","full_name":"Platzner, Marco"}],"citation":{"mla":"Ahmed, Qazi Arbab. Hardware Trojans in Reconfigurable Computing. Paderborn University, Paderborn, Germany, 2022, doi:10.17619/UNIPB/1-1271.","bibtex":"@book{Ahmed_2022, place={Paderborn}, title={Hardware Trojans in Reconfigurable Computing}, DOI={10.17619/UNIPB/1-1271}, publisher={ Paderborn University, Paderborn, Germany}, author={Ahmed, Qazi Arbab}, year={2022} }","chicago":"Ahmed, Qazi Arbab. Hardware Trojans in Reconfigurable Computing. Paderborn: Paderborn University, Paderborn, Germany, 2022. https://doi.org/10.17619/UNIPB/1-1271.","apa":"Ahmed, Q. A. (2022). Hardware Trojans in Reconfigurable Computing. Paderborn University, Paderborn, Germany. https://doi.org/10.17619/UNIPB/1-1271","ama":"Ahmed QA. Hardware Trojans in Reconfigurable Computing. Paderborn University, Paderborn, Germany; 2022. doi:10.17619/UNIPB/1-1271","ieee":"Q. A. Ahmed, Hardware Trojans in Reconfigurable Computing. Paderborn: Paderborn University, Paderborn, Germany, 2022.","short":"Q.A. Ahmed, Hardware Trojans in Reconfigurable Computing, Paderborn University, Paderborn, Germany, Paderborn, 2022."},"type":"dissertation","year":"2022","place":"Paderborn","title":"Hardware Trojans in Reconfigurable Computing","department":[{"_id":"78"}],"project":[{"name":"SFB 901: SFB 901","_id":"1"},{"name":"SFB 901 - C: SFB 901 - Project Area C","_id":"4"},{"name":"SFB 901 - C2: SFB 901 - Subproject C2","_id":"14"}],"publication_status":"published","date_updated":"2022-11-30T13:39:01Z","oa":"1","doi":"10.17619/UNIPB/1-1271","language":[{"iso":"eng"}]},{"publication":"Australasian Conference on Information Systems (ACIS)","keyword":["Student","Security","Projekt-CYWARN"],"publisher":"AIS Electronic Library (AISel)","author":[{"last_name":"Eyilmez","first_name":"Kaan","full_name":"Eyilmez, Kaan"},{"last_name":"Basyurt","full_name":"Basyurt, Ali Sercan","first_name":"Ali Sercan"},{"last_name":"Stieglitz","first_name":"Stefan","full_name":"Stieglitz, Stefan"},{"last_name":"Fuchss","full_name":"Fuchss, Christoph","first_name":"Christoph"},{"last_name":"Kaufhold","full_name":"Kaufhold, Marc-André","first_name":"Marc-André"},{"last_name":"Reuter","full_name":"Reuter, Christian","first_name":"Christian"},{"full_name":"Mirbabaie, Milad","first_name":"Milad","id":"88691","last_name":"Mirbabaie"}],"date_created":"2023-01-17T15:46:42Z","status":"public","title":"A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication","user_id":"80546","citation":{"chicago":"Eyilmez, Kaan, Ali Sercan Basyurt, Stefan Stieglitz, Christoph Fuchss, Marc-André Kaufhold, Christian Reuter, and Milad Mirbabaie. “A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication.” In Australasian Conference on Information Systems (ACIS). AIS Electronic Library (AISel), 2022.","ama":"Eyilmez K, Basyurt AS, Stieglitz S, et al. A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication. In: Australasian Conference on Information Systems (ACIS). AIS Electronic Library (AISel); 2022.","apa":"Eyilmez, K., Basyurt, A. S., Stieglitz, S., Fuchss, C., Kaufhold, M.-A., Reuter, C., & Mirbabaie, M. (2022). A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication. Australasian Conference on Information Systems (ACIS).","bibtex":"@inproceedings{Eyilmez_Basyurt_Stieglitz_Fuchss_Kaufhold_Reuter_Mirbabaie_2022, title={A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication}, booktitle={Australasian Conference on Information Systems (ACIS)}, publisher={AIS Electronic Library (AISel)}, author={Eyilmez, Kaan and Basyurt, Ali Sercan and Stieglitz, Stefan and Fuchss, Christoph and Kaufhold, Marc-André and Reuter, Christian and Mirbabaie, Milad}, year={2022} }","mla":"Eyilmez, Kaan, et al. “A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication.” Australasian Conference on Information Systems (ACIS), AIS Electronic Library (AISel), 2022.","short":"K. Eyilmez, A.S. Basyurt, S. Stieglitz, C. Fuchss, M.-A. Kaufhold, C. Reuter, M. Mirbabaie, in: Australasian Conference on Information Systems (ACIS), AIS Electronic Library (AISel), 2022.","ieee":"K. Eyilmez et al., “A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication,” 2022."},"type":"conference","year":"2022","language":[{"iso":"eng"}],"date_updated":"2023-01-18T07:59:21Z","_id":"37157"},{"type":"book_chapter","year":"2020","citation":{"short":"T. Jager, D. Niehues, in: Lecture Notes in Computer Science, Cham, 2020.","ieee":"T. Jager and D. Niehues, “On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions,” in Lecture Notes in Computer Science, Cham, 2020.","apa":"Jager, T., & Niehues, D. (2020). On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions. In Lecture Notes in Computer Science. Cham. https://doi.org/10.1007/978-3-030-38471-5_13","ama":"Jager T, Niehues D. On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions. In: Lecture Notes in Computer Science. Cham; 2020. doi:10.1007/978-3-030-38471-5_13","chicago":"Jager, Tibor, and David Niehues. “On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions.” In Lecture Notes in Computer Science. Cham, 2020. https://doi.org/10.1007/978-3-030-38471-5_13.","mla":"Jager, Tibor, and David Niehues. “On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions.” Lecture Notes in Computer Science, 2020, doi:10.1007/978-3-030-38471-5_13.","bibtex":"@inbook{Jager_Niehues_2020, place={Cham}, title={On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions}, DOI={10.1007/978-3-030-38471-5_13}, booktitle={Lecture Notes in Computer Science}, author={Jager, Tibor and Niehues, David}, year={2020} }"},"main_file_link":[{"url":"https://link.springer.com/content/pdf/10.1007%252F978-3-030-38471-5_13.pdf"}],"_id":"21396","conference":{"end_date":"2019-08-16","location":"Waterloo, Canada","start_date":"2019-08-12","name":"Selected Areas in Cryptography"},"status":"public","has_accepted_license":"1","date_created":"2021-03-08T16:50:31Z","author":[{"last_name":"Jager","first_name":"Tibor","full_name":"Jager, Tibor"},{"id":"36113","last_name":"Niehues","full_name":"Niehues, David","first_name":"David"}],"quality_controlled":"1","file_date_updated":"2021-03-08T17:02:37Z","publication":"Lecture Notes in Computer Science","keyword":["Admissible hash functions","Verifiable random functions","Error-correcting codes","Provable security"],"file":[{"file_name":"Jager und Niehues - 2020 - On the Real-World Instantiability of Admissible Ha.pdf","date_created":"2021-03-08T17:02:37Z","access_level":"closed","file_size":706743,"file_id":"21399","creator":"davnie","date_updated":"2021-03-08T17:02:37Z","content_type":"application/pdf","relation":"main_file"}],"ddc":["000"],"user_id":"36113","abstract":[{"text":"Verifiable random functions (VRFs) are essentially digital signatures with additional properties, namely verifiable uniqueness and pseudorandomness, which make VRFs a useful tool, e.g., to prevent enumeration in DNSSEC Authenticated Denial of Existence and the CONIKS key management system, or in the random committee selection of the Algorand blockchain.\r\n\r\nMost standard-model VRFs rely on admissible hash functions (AHFs) to achieve security against adaptive attacks in the standard model. Known AHF constructions are based on error-correcting codes, which yield asymptotically efficient constructions. However, previous works do not clarify how the code should be instantiated concretely in the real world. The rate and the minimal distance of the selected code have significant impact on the efficiency of the resulting cryptosystem, therefore it is unclear if and how the aforementioned constructions can be used in practice.\r\n\r\nFirst, we explain inherent limitations of code-based AHFs. Concretely, we assume that even if we were given codes that achieve the well-known Gilbert-Varshamov or McEliece-Rodemich-Rumsey-Welch bounds, existing AHF-based constructions of verifiable random functions (VRFs) can only be instantiated quite inefficiently. Then we introduce and construct computational AHFs (cAHFs). While classical AHFs are information-theoretic, and therefore work even in presence of computationally unbounded adversaries, cAHFs provide only security against computationally bounded adversaries. However, we show that cAHFs can be instantiated significantly more efficiently. Finally, we use our cAHF to construct the currently most efficient verifiable random function with full adaptive security in the standard model.","lang":"eng"}],"language":[{"iso":"eng"}],"doi":"10.1007/978-3-030-38471-5_13","date_updated":"2022-01-06T06:54:58Z","publication_status":"published","publication_identifier":{"isbn":["9783030384708","9783030384715"],"issn":["0302-9743","1611-3349"]},"project":[{"name":"SFB 901","_id":"1"},{"name":"SFB 901 - Project Area C","_id":"4"},{"name":"SFB 901 - Subproject C1","_id":"13"}],"department":[{"_id":"558"}],"title":"On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions","related_material":{"link":[{"relation":"later_version","url":"https://eprint.iacr.org/2019/1335.pdf"}]},"place":"Cham"},{"language":[{"iso":"eng"}],"oa":"1","date_updated":"2022-01-06T06:52:47Z","department":[{"_id":"277"}],"title":"Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements","page":"3 - 31","year":"2020","type":"journal_article","citation":{"short":"E. Szubartowicz, G. Schryen, Journal of Information System Security 16 (2020) 3–31.","ieee":"E. Szubartowicz and G. Schryen, “Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements,” Journal of Information System Security, vol. 16, no. 1, pp. 3–31, 2020.","ama":"Szubartowicz E, Schryen G. Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements. Journal of Information System Security. 2020;16(1):3-31.","apa":"Szubartowicz, E., & Schryen, G. (2020). Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements. Journal of Information System Security, 16(1), 3–31.","chicago":"Szubartowicz, Eva, and Guido Schryen. “Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements.” Journal of Information System Security 16, no. 1 (2020): 3–31.","mla":"Szubartowicz, Eva, and Guido Schryen. “Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements.” Journal of Information System Security, vol. 16, no. 1, Information Institute Publishing, Washington DC, USA, 2020, pp. 3–31.","bibtex":"@article{Szubartowicz_Schryen_2020, title={Timing in Information Security: An Event Study on the Impact of Information Security Investment Announcements}, volume={16}, number={1}, journal={Journal of Information System Security}, publisher={Information Institute Publishing, Washington DC, USA}, author={Szubartowicz, Eva and Schryen, Guido}, year={2020}, pages={3–31} }"},"issue":"1","intvolume":" 16","_id":"16249","date_created":"2020-03-05T10:29:00Z","has_accepted_license":"1","status":"public","volume":16,"file":[{"creator":"hsiemes","file_id":"16250","file_size":478056,"relation":"main_file","date_updated":"2020-03-05T10:35:49Z","content_type":"application/pdf","file_name":"Timing in Information Security - JISSEC format PREPUBLICATION.pdf","date_created":"2020-03-05T10:26:11Z","access_level":"open_access"}],"publication":"Journal of Information System Security","keyword":["Event Study","Information Security","Investment Announcements","Stock Price Reaction","Value of Information Security Investments"],"file_date_updated":"2020-03-05T10:35:49Z","author":[{"last_name":"Szubartowicz","full_name":"Szubartowicz, Eva","first_name":"Eva"},{"last_name":"Schryen","id":"72850","first_name":"Guido","full_name":"Schryen, Guido"}],"publisher":"Information Institute Publishing, Washington DC, USA","user_id":"61579","ddc":["000"],"abstract":[{"text":"Timing plays a crucial role in the context of information security investments. We regard timing in two dimensions, namely the time of announcement in relation to the time of investment and the time of announcement in relation to the time of a fundamental security incident. The financial value of information security investments is assessed by examining the relationship between the investment announcements and their stock market reaction focusing on the two time dimensions. Using an event study methodology, we found that both dimensions influence the stock market return of the investing organization. Our results indicate that (1) after fundamental security incidents in a given industry, the stock price will react more positively to a firm’s announcement of actual information security investments than to announcements of the intention to invest; (2) the stock price will react more positively to a firm’s announcements of the intention to invest after the fundamental security incident compared to before; and (3) the stock price will react more positively to a firm’s announcements of actual information security investments after the fundamental security incident compared to before. Overall, the lowest abnormal return can be expected when the intention to invest is announced before a fundamental information security incident and the highest return when actual investing after a fundamental information security incident in the respective industry.","lang":"eng"}]},{"type":"conference","year":"2019","citation":{"chicago":"Koning, Ralph, Gleb Polevoy, Lydia Meijer, Cees de Laat, and Paola Grosso. “Approaches for Collaborative Security Defences in Multi Network Environments.” In 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 113–23. 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2019. https://doi.org/10.1109/CSCloud/EdgeCom.2019.000-9.","apa":"Koning, R., Polevoy, G., Meijer, L., de Laat, C., & Grosso, P. (2019). Approaches for Collaborative Security Defences in Multi Network Environments. In 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom) (pp. 113–123). https://doi.org/10.1109/CSCloud/EdgeCom.2019.000-9","ama":"Koning R, Polevoy G, Meijer L, de Laat C, Grosso P. Approaches for Collaborative Security Defences in Multi Network Environments. In: 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). ; 2019:113-123. doi:10.1109/CSCloud/EdgeCom.2019.000-9","mla":"Koning, Ralph, et al. “Approaches for Collaborative Security Defences in Multi Network Environments.” 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2019, pp. 113–23, doi:10.1109/CSCloud/EdgeCom.2019.000-9.","bibtex":"@inproceedings{Koning_Polevoy_Meijer_de Laat_Grosso_2019, series={2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)}, title={Approaches for Collaborative Security Defences in Multi Network Environments}, DOI={10.1109/CSCloud/EdgeCom.2019.000-9}, booktitle={2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)}, author={Koning, Ralph and Polevoy, Gleb and Meijer, Lydia and de Laat, Cees and Grosso, Paola}, year={2019}, pages={113–123}, collection={2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)} }","short":"R. Koning, G. Polevoy, L. Meijer, C. de Laat, P. Grosso, in: 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2019, pp. 113–123.","ieee":"R. Koning, G. Polevoy, L. Meijer, C. de Laat, and P. Grosso, “Approaches for Collaborative Security Defences in Multi Network Environments,” in 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2019, pp. 113–123."},"page":"113-123","main_file_link":[{"url":"https://ieeexplore.ieee.org/abstract/document/8854057/authors#authors"}],"_id":"17667","conference":{"name":"2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)"},"status":"public","date_created":"2020-08-06T15:23:23Z","quality_controlled":"1","author":[{"last_name":"Koning","full_name":"Koning, Ralph","first_name":"Ralph"},{"id":"83983","last_name":"Polevoy","full_name":"Polevoy, Gleb","first_name":"Gleb"},{"first_name":"Lydia","full_name":"Meijer, Lydia","last_name":"Meijer"},{"last_name":"de Laat","full_name":"de Laat, Cees","first_name":"Cees"},{"first_name":"Paola","full_name":"Grosso, Paola","last_name":"Grosso"}],"publication":"2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)","keyword":["computer network security","multinetwork environments","multidomain defensive action","task execution order","timing influence defense efficiency","distributed attacks","collaborative security defence approach","minimize propagation approach","minimize countermeasure approach","counteract everywhere approach","Conferences","Cloud computing","Computer crime","Edge computing","Security","Defense Approaches","Multi-Domain Defense","Collaborative Defense","Defense Algorithms","Computer Networks"],"user_id":"83983","extern":"1","abstract":[{"text":"Resolving distributed attacks benefits from collaboration between networks. We present three approaches for the same multi-domain defensive action that can be applied in such an alliance: 1) Counteract Everywhere, 2) Minimize Countermeasures, and 3) Minimize Propagation. First, we provide a formula to compute efficiency of a defense; then we use this formula to compute the efficiency of the approaches under various circumstances. Finally, we discuss how task execution order and timing influence defense efficiency. Our results show that the Minimize Propagation approach is the most efficient method when defending against the chosen attack.","lang":"eng"}],"language":[{"iso":"eng"}],"series_title":"2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)","doi":"10.1109/CSCloud/EdgeCom.2019.000-9","date_updated":"2022-01-06T06:53:16Z","publication_identifier":{"issn":["null"]},"department":[{"_id":"63"},{"_id":"541"}],"title":"Approaches for Collaborative Security Defences in Multi Network Environments"},{"_id":"17666","date_updated":"2022-01-06T06:53:16Z","doi":"https://doi.org/10.1016/j.future.2018.08.011","citation":{"ieee":"R. Koning, B. de Graaff, G. Polevoy, R. Meijer, C. de Laat, and P. Grosso, “Measuring the efficiency of SDN mitigations against attacks on computer infrastructures,” Future Generation Computer Systems, 2018.","short":"R. Koning, B. de Graaff, G. Polevoy, R. Meijer, C. de Laat, P. Grosso, Future Generation Computer Systems (2018).","bibtex":"@article{Koning_de Graaff_Polevoy_Meijer_de Laat_Grosso_2018, title={Measuring the efficiency of SDN mitigations against attacks on computer infrastructures}, DOI={https://doi.org/10.1016/j.future.2018.08.011}, journal={Future Generation Computer Systems}, author={Koning, R. and de Graaff, B. and Polevoy, Gleb and Meijer, R. and de Laat, C. and Grosso, P.}, year={2018} }","mla":"Koning, R., et al. “Measuring the Efficiency of SDN Mitigations against Attacks on Computer Infrastructures.” Future Generation Computer Systems, 2018, doi:https://doi.org/10.1016/j.future.2018.08.011.","chicago":"Koning, R., B. de Graaff, Gleb Polevoy, R. Meijer, C. de Laat, and P. Grosso. “Measuring the Efficiency of SDN Mitigations against Attacks on Computer Infrastructures.” Future Generation Computer Systems, 2018. https://doi.org/10.1016/j.future.2018.08.011.","apa":"Koning, R., de Graaff, B., Polevoy, G., Meijer, R., de Laat, C., & Grosso, P. (2018). Measuring the efficiency of SDN mitigations against attacks on computer infrastructures. Future Generation Computer Systems. https://doi.org/10.1016/j.future.2018.08.011","ama":"Koning R, de Graaff B, Polevoy G, Meijer R, de Laat C, Grosso P. Measuring the efficiency of SDN mitigations against attacks on computer infrastructures. Future Generation Computer Systems. 2018. doi:https://doi.org/10.1016/j.future.2018.08.011"},"type":"journal_article","year":"2018","language":[{"iso":"eng"}],"extern":"1","abstract":[{"text":"Software Defined Networks (SDN) and Network Function Virtualisation (NFV) provide the basis for autonomous response and mitigation against attacks on networked computer infrastructures. We propose a new framework that uses SDNs and NFV to achieve this goal: Secure Autonomous Response Network (SARNET). In a SARNET, an agent running a control loop constantly assesses the security state of the network by means of observables. The agent reacts to and resolves security problems, while learning from its previous decisions. Two main metrics govern the decision process in a SARNET: impact and efficiency; these metrics can be used to compare and evaluate countermeasures and are the building blocks for self-learning SARNETs that exhibit autonomous response. In this paper we present the software implementation of the SARNET framework, evaluate it in a real-life network and discuss the tradeoffs between parameters used by the SARNET agent and the efficiency of its actions.","lang":"eng"}],"title":"Measuring the efficiency of SDN mitigations against attacks on computer infrastructures","user_id":"83983","keyword":["Software defined networks","Network function virtualization","Cyber attacks","Cyber security","Defense efficiency","Overlay networks"],"publication":"Future Generation Computer Systems","department":[{"_id":"63"},{"_id":"541"}],"author":[{"last_name":"Koning","full_name":"Koning, R.","first_name":"R."},{"full_name":"de Graaff, B.","first_name":"B.","last_name":"de Graaff"},{"first_name":"Gleb","full_name":"Polevoy, Gleb","last_name":"Polevoy","id":"83983"},{"last_name":"Meijer","first_name":"R.","full_name":"Meijer, R."},{"last_name":"de Laat","first_name":"C.","full_name":"de Laat, C."},{"last_name":"Grosso","full_name":"Grosso, P.","first_name":"P."}],"publication_identifier":{"issn":["0167-739X"]},"date_created":"2020-08-06T15:23:11Z","status":"public"},{"ddc":["000"],"user_id":"61579","extern":"1","abstract":[{"lang":"eng","text":"The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms? investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis."}],"volume":77,"date_created":"2018-11-14T11:24:37Z","has_accepted_license":"1","status":"public","publication":"Computers & Security","keyword":["Information Security Investments","Multiple Case Study","Organizations","Single Loop Learning","Double Loop Learning"],"file_date_updated":"2018-12-13T15:06:10Z","author":[{"full_name":"Weishäupl, Eva","first_name":"Eva","last_name":"Weishäupl"},{"first_name":"Emrah","full_name":"Yasasin, Emrah","last_name":"Yasasin"},{"id":"72850","last_name":"Schryen","full_name":"Schryen, Guido","first_name":"Guido"}],"publisher":"Elsevier","file":[{"file_id":"6022","creator":"hsiemes","file_size":809490,"relation":"main_file","content_type":"application/pdf","date_updated":"2018-12-13T15:06:10Z","date_created":"2018-12-07T11:26:53Z","file_name":"JOURNAL VERSION.pdf","access_level":"open_access"}],"_id":"5586","intvolume":" 77","page":"807 - 823","citation":{"ama":"Weishäupl E, Yasasin E, Schryen G. Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning. Computers & Security. 2018;77:807-823.","apa":"Weishäupl, E., Yasasin, E., & Schryen, G. (2018). Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning. Computers & Security, 77, 807–823.","chicago":"Weishäupl, Eva, Emrah Yasasin, and Guido Schryen. “Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning.” Computers & Security 77 (2018): 807–23.","mla":"Weishäupl, Eva, et al. “Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning.” Computers & Security, vol. 77, Elsevier, 2018, pp. 807–23.","bibtex":"@article{Weishäupl_Yasasin_Schryen_2018, title={Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning}, volume={77}, journal={Computers & Security}, publisher={Elsevier}, author={Weishäupl, Eva and Yasasin, Emrah and Schryen, Guido}, year={2018}, pages={807–823} }","short":"E. Weishäupl, E. Yasasin, G. Schryen, Computers & Security 77 (2018) 807–823.","ieee":"E. Weishäupl, E. Yasasin, and G. Schryen, “Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning,” Computers & Security, vol. 77, pp. 807–823, 2018."},"year":"2018","type":"journal_article","title":"Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning","department":[{"_id":"277"}],"oa":"1","date_updated":"2022-01-06T07:02:03Z","language":[{"iso":"eng"}]},{"user_id":"5786","title":"An In-Depth Study of More Than Ten Years of Java Exploitation","status":"public","date_created":"2020-12-14T11:58:33Z","publication_identifier":{"isbn":["978-1-4503-4139-4"]},"author":[{"full_name":"Holzinger, Philipp","first_name":"Philipp","last_name":"Holzinger"},{"last_name":"Triller","first_name":"Stefan","full_name":"Triller, Stefan"},{"last_name":"Bartel","first_name":"Alexandre","full_name":"Bartel, Alexandre"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"}],"keyword":["ATTRACT","access control","exploits","java security","security analysis","ITSECWEBSITE"],"publication":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","department":[{"_id":"76"}],"doi":"http://doi.acm.org/10.1145/2976749.2978361","_id":"20719","date_updated":"2022-01-06T06:54:34Z","language":[{"iso":"eng"}],"type":"conference","year":"2016","citation":{"mla":"Holzinger, Philipp, et al. “An In-Depth Study of More Than Ten Years of Java Exploitation.” Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 779–90, doi:http://doi.acm.org/10.1145/2976749.2978361.","bibtex":"@inproceedings{Holzinger_Triller_Bartel_Bodden_2016, series={CCS ’16}, title={An In-Depth Study of More Than Ten Years of Java Exploitation}, DOI={http://doi.acm.org/10.1145/2976749.2978361}, booktitle={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security}, author={Holzinger, Philipp and Triller, Stefan and Bartel, Alexandre and Bodden, Eric}, year={2016}, pages={779–790}, collection={CCS ’16} }","ama":"Holzinger P, Triller S, Bartel A, Bodden E. An In-Depth Study of More Than Ten Years of Java Exploitation. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS ’16. ; 2016:779-790. doi:http://doi.acm.org/10.1145/2976749.2978361","apa":"Holzinger, P., Triller, S., Bartel, A., & Bodden, E. (2016). An In-Depth Study of More Than Ten Years of Java Exploitation. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 779–790. http://doi.acm.org/10.1145/2976749.2978361","chicago":"Holzinger, Philipp, Stefan Triller, Alexandre Bartel, and Eric Bodden. “An In-Depth Study of More Than Ten Years of Java Exploitation.” In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 779–90. CCS ’16, 2016. http://doi.acm.org/10.1145/2976749.2978361.","ieee":"P. Holzinger, S. Triller, A. Bartel, and E. Bodden, “An In-Depth Study of More Than Ten Years of Java Exploitation,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 779–790, doi: http://doi.acm.org/10.1145/2976749.2978361.","short":"P. Holzinger, S. Triller, A. Bartel, E. Bodden, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 779–790."},"page":"779-790","series_title":"CCS '16"},{"_id":"5588","year":"2015","citation":{"short":"E. Weishäupl, E. Yasasin, G. Schryen, in: International Conference on Information Systems, 2015.","ieee":"E. Weishäupl, E. Yasasin, and G. Schryen, “A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory,” in International Conference on Information Systems, 2015.","ama":"Weishäupl E, Yasasin E, Schryen G. A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory. In: International Conference on Information Systems. ; 2015.","apa":"Weishäupl, E., Yasasin, E., & Schryen, G. (2015). A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory. In International Conference on Information Systems.","chicago":"Weishäupl, Eva, Emrah Yasasin, and Guido Schryen. “A Multi-Theoretical Literature Review on Information Security Investments Using the Resource-Based View and the Organizational Learning Theory.” In International Conference on Information Systems, 2015.","bibtex":"@inproceedings{Weishäupl_Yasasin_Schryen_2015, title={A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory}, booktitle={International Conference on Information Systems}, author={Weishäupl, Eva and Yasasin, Emrah and Schryen, Guido}, year={2015} }","mla":"Weishäupl, Eva, et al. “A Multi-Theoretical Literature Review on Information Security Investments Using the Resource-Based View and the Organizational Learning Theory.” International Conference on Information Systems, 2015."},"type":"conference","ddc":["000"],"user_id":"61579","extern":"1","abstract":[{"lang":"eng","text":"The protection of information technology (IT) has become and is predicted to remain a key economic challenge for organizations. While research on IT security investment is fast growing, it lacks a theoretical basis for structuring research, explaining economic-technological phenomena and guide future research. We address this shortcoming by suggesting a new theoretical model emerging from a multi-theoretical perspective adopt-ing the Resource-Based View and the Organizational Learning Theory. The joint appli-cation of these theories allows to conceptualize in one theoretical model the organiza-tional learning effects that occur when the protection of organizational resources through IT security countermeasures develops over time. We use this model of IT security invest-ments to synthesize findings of a large body of literature and to derive research gaps. We also discuss managerial implications of (closing) these gaps by providing practical ex-amples."}],"date_created":"2018-11-14T11:25:38Z","has_accepted_license":"1","status":"public","file_date_updated":"2018-12-13T15:09:32Z","publication":"International Conference on Information Systems","keyword":["Information Security","Investment","Literature review","Resource-based View","Organi-zational Learning Theory","Multi-theoretical Perspective"],"author":[{"full_name":"Weishäupl, Eva","first_name":"Eva","last_name":"Weishäupl"},{"last_name":"Yasasin","first_name":"Emrah","full_name":"Yasasin, Emrah"},{"id":"72850","last_name":"Schryen","full_name":"Schryen, Guido","first_name":"Guido"}],"file":[{"access_level":"open_access","date_created":"2018-12-07T11:45:31Z","file_name":"ICIS PROCEEDINGS PAPER - Security Investments.pdf","relation":"main_file","content_type":"application/pdf","date_updated":"2018-12-13T15:09:32Z","creator":"hsiemes","file_id":"6038","file_size":958019}],"oa":"1","date_updated":"2022-01-06T07:02:03Z","language":[{"iso":"eng"}],"title":"A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory","department":[{"_id":"277"}]},{"_id":"5590","year":"2015","type":"conference","citation":{"bibtex":"@inproceedings{Weishäupl_Kunz_Yasasin_Wagner_Prester_Schryen_Pernul_2015, title={Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory}, booktitle={2nd International Workshop on Security in highly connected IT Systems (SHCIS?15)}, author={Weishäupl, Eva and Kunz, Michael and Yasasin, Emrah and Wagner, Gerit and Prester, Julian and Schryen, Guido and Pernul, Günther}, year={2015} }","mla":"Weishäupl, Eva, et al. “Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory.” 2nd International Workshop on Security in Highly Connected IT Systems (SHCIS?15), 2015.","chicago":"Weishäupl, Eva, Michael Kunz, Emrah Yasasin, Gerit Wagner, Julian Prester, Guido Schryen, and Günther Pernul. “Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory.” In 2nd International Workshop on Security in Highly Connected IT Systems (SHCIS?15), 2015.","apa":"Weishäupl, E., Kunz, M., Yasasin, E., Wagner, G., Prester, J., Schryen, G., & Pernul, G. (2015). Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory. In 2nd International Workshop on Security in highly connected IT Systems (SHCIS?15).","ama":"Weishäupl E, Kunz M, Yasasin E, et al. Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory. In: 2nd International Workshop on Security in Highly Connected IT Systems (SHCIS?15). ; 2015.","ieee":"E. Weishäupl et al., “Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory,” in 2nd International Workshop on Security in highly connected IT Systems (SHCIS?15), 2015.","short":"E. Weishäupl, M. Kunz, E. Yasasin, G. Wagner, J. Prester, G. Schryen, G. Pernul, in: 2nd International Workshop on Security in Highly Connected IT Systems (SHCIS?15), 2015."},"abstract":[{"text":"Nowadays, providing employees with failure-free access to various systems, applications and services is a crucial factor for organizations? success as disturbances potentially inhibit smooth workflows and thereby harm productivity. However, it is a challenging task to assign access rights to employees? accounts within a satisfying time frame. In addition, the management of multiple accounts and identities can be very onerous and time consuming for the responsible administrator and therefore expensive for the organization. In order to meet these challenges, firms decide to invest in introducing an Identity and Access Management System (IAMS) that supports the organization by using policies to assign permissions to accounts, groups, and roles. In practice, since various versions of IAMSs exist, it is a challenging task to decide upon introduction of an IAMS. The following study proposes a first attempt of a decision support model for practitioners which considers four alternatives: Introduction of an IAMS with Role-based Access Control RBAC) or without and no introduction of IAMS again with or without RBAC. To underpin the practical applicability of the proposed model, we parametrize and operationalize it based on a real world use case using input from an expert interview.","lang":"eng"}],"extern":"1","user_id":"61579","ddc":["000"],"file":[{"relation":"main_file","content_type":"application/pdf","date_updated":"2018-12-13T15:09:54Z","file_id":"6040","creator":"hsiemes","file_size":166015,"access_level":"open_access","date_created":"2018-12-07T11:46:28Z","file_name":"Towards an Economic Approach to IAMS.PDF"}],"publication":"2nd International Workshop on Security in highly connected IT Systems (SHCIS?15)","file_date_updated":"2018-12-13T15:09:54Z","keyword":["Identity and Access Management","Economic Decision Making","Information Systems","Information Security Investment","Decision Theory"],"author":[{"first_name":"Eva","full_name":"Weishäupl, Eva","last_name":"Weishäupl"},{"last_name":"Kunz","first_name":"Michael","full_name":"Kunz, Michael"},{"last_name":"Yasasin","full_name":"Yasasin, Emrah","first_name":"Emrah"},{"last_name":"Wagner","full_name":"Wagner, Gerit","first_name":"Gerit"},{"last_name":"Prester","first_name":"Julian","full_name":"Prester, Julian"},{"first_name":"Guido","full_name":"Schryen, Guido","last_name":"Schryen","id":"72850"},{"full_name":"Pernul, Günther","first_name":"Günther","last_name":"Pernul"}],"date_created":"2018-11-14T11:27:20Z","has_accepted_license":"1","status":"public","date_updated":"2022-01-06T07:02:04Z","oa":"1","language":[{"iso":"eng"}],"title":"Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory","department":[{"_id":"277"}]},{"issue":"4 Part","intvolume":" 4","_id":"5621","year":"2009","citation":{"mla":"Schryen, Guido, and Eliot Rich. “Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland.” IEEE Transactions on Information Forensics \\& Security, vol. 4, no. 4 Part, IEEE, 2009, pp. 729–44.","bibtex":"@article{Schryen_Rich_2009, title={Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland}, volume={4}, number={4 Part}, journal={IEEE Transactions on Information Forensics \\& Security}, publisher={IEEE}, author={Schryen, Guido and Rich, Eliot}, year={2009}, pages={729–744} }","ama":"Schryen G, Rich E. Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland. IEEE Transactions on Information Forensics \\& Security. 2009;4(4 Part):729-744.","apa":"Schryen, G., & Rich, E. (2009). Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland. IEEE Transactions on Information Forensics \\& Security, 4(4 Part), 729–744.","chicago":"Schryen, Guido, and Eliot Rich. “Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland.” IEEE Transactions on Information Forensics \\& Security 4, no. 4 Part (2009): 729–44.","ieee":"G. Schryen and E. Rich, “Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland,” IEEE Transactions on Information Forensics \\& Security, vol. 4, no. 4 Part, pp. 729–744, 2009.","short":"G. Schryen, E. Rich, IEEE Transactions on Information Forensics \\& Security 4 (2009) 729–744."},"type":"journal_article","page":"729-744","user_id":"61579","ddc":["000"],"abstract":[{"lang":"eng","text":"Remote voting through the Internet provides convenience and access to the electorate. At the same time, the security concerns facing any distributed application are magnified when the task is so crucial to democratic society. In addition, some of the electoral process loses transparency when it is encapsulated in information technology. In this paper, we examine the public record of three recent elections that used Internet voting. Our specific goal is to identify any potential flaws that security experts would recognize, but may have not been identified in the rush to implement technology. To do this, we present a multiple exploratory case study, looking at elections conducted between 2006 and 2007 in Estonia, Netherlands, and Switzerland. These elections were selected as particularly interesting and accessible, and each presents its own technical and security challenges. The electoral environment, technical design and process for each election are described, including reconstruction of details which are implied but not specified within the source material. We found that all three elections warrant significant concern about voter security, verifiability, and transparency. Usability, our fourth area of focus, seems to have been well-addressed in these elections. While our analysis is based on public documents and previously published reports, and therefore lacking access to any confidential materials held by electoral officials, this comparative analysis provides interesting insight and consistent questions across all these cases. Effective review of Internet voting requires an aggressive stance towards identifying potential security and operational flaws, and we encourage the use of third party reviews with critical technology skills during design, programming, and voting to reduce the changes of failure or fraud that would undermine public confidence."}],"extern":"1","has_accepted_license":"1","status":"public","date_created":"2018-11-14T14:06:44Z","volume":4,"file":[{"file_size":1544790,"creator":"hsiemes","file_id":"6316","content_type":"application/pdf","date_updated":"2018-12-18T13:16:07Z","relation":"main_file","file_name":"JOURNAL VERSION.pdf","date_created":"2018-12-18T13:16:07Z","access_level":"open_access"}],"publisher":"IEEE","author":[{"last_name":"Schryen","id":"72850","first_name":"Guido","full_name":"Schryen, Guido"},{"full_name":"Rich, Eliot","first_name":"Eliot","last_name":"Rich"}],"keyword":["e-voting","Internet voting","Internet election","security","verifiability","RIES","Estonia","Neuch{\\^a}tel"],"publication":"IEEE Transactions on Information Forensics \\& Security","file_date_updated":"2018-12-18T13:16:07Z","oa":"1","date_updated":"2022-01-06T07:02:12Z","language":[{"iso":"eng"}],"title":"Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland","department":[{"_id":"277"}]},{"title":"Open Source vs. Closed Source Software: Towards Measuring Security","department":[{"_id":"277"}],"oa":"1","date_updated":"2022-01-06T07:02:13Z","language":[{"iso":"eng"}],"user_id":"61579","ddc":["000"],"abstract":[{"lang":"eng","text":"The increasing availability and deployment of open source software in personal and commercial environments makes open source software highly appealing for hackers, and others who are interested in exploiting software vulnerabilities. This deployment has resulted in a debate ?full of religion? on the security of open source software compared to that of closed source software. However, beyond such arguments, only little quantitative analysis on this research issue has taken place. We discuss the state-of-the-art of the security debate and identify shortcomings. Based on these, we propose new metrics, which allows to answer the question to what extent the review process of open source and closed source development has helped to fix vulnerabilities. We illustrate the application of some of these metrics in a case study on OpenOffice (open source software) vs. Microsoft Office (closed source software)."}],"extern":"1","date_created":"2018-11-14T14:12:27Z","has_accepted_license":"1","status":"public","file":[{"file_name":"ACM VERSION.pdf","date_created":"2018-12-18T13:14:09Z","access_level":"open_access","file_id":"6310","creator":"hsiemes","file_size":456497,"relation":"main_file","date_updated":"2018-12-18T13:14:09Z","content_type":"application/pdf"}],"publication":"24th Annual ACM Symposium on Applied Computing","file_date_updated":"2018-12-18T13:14:09Z","keyword":["Open source software","Closed source software","Security","Metrics"],"author":[{"last_name":"Schryen","id":"72850","first_name":"Guido","full_name":"Schryen, Guido"},{"last_name":"Kadura","full_name":"Kadura, Rouven","first_name":"Rouven"}],"_id":"5625","citation":{"short":"G. Schryen, R. Kadura, in: 24th Annual ACM Symposium on Applied Computing, 2009.","ieee":"G. Schryen and R. Kadura, “Open Source vs. Closed Source Software: Towards Measuring Security,” in 24th Annual ACM Symposium on Applied Computing, 2009.","ama":"Schryen G, Kadura R. Open Source vs. Closed Source Software: Towards Measuring Security. In: 24th Annual ACM Symposium on Applied Computing. ; 2009.","apa":"Schryen, G., & Kadura, R. (2009). Open Source vs. Closed Source Software: Towards Measuring Security. In 24th Annual ACM Symposium on Applied Computing.","chicago":"Schryen, Guido, and Rouven Kadura. “Open Source vs. Closed Source Software: Towards Measuring Security.” In 24th Annual ACM Symposium on Applied Computing, 2009.","mla":"Schryen, Guido, and Rouven Kadura. “Open Source vs. Closed Source Software: Towards Measuring Security.” 24th Annual ACM Symposium on Applied Computing, 2009.","bibtex":"@inproceedings{Schryen_Kadura_2009, title={Open Source vs. Closed Source Software: Towards Measuring Security}, booktitle={24th Annual ACM Symposium on Applied Computing}, author={Schryen, Guido and Kadura, Rouven}, year={2009} }"},"year":"2009","type":"conference"},{"language":[{"iso":"eng"}],"oa":"1","date_updated":"2022-01-06T07:02:19Z","department":[{"_id":"277"}],"title":"Security of open source and closed source software: An empirical comparison of published vulnerabilities","citation":{"mla":"Schryen, Guido. “Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities.” 15th Americas Conference on Information Systems, 2009.","bibtex":"@inproceedings{Schryen_2009, title={Security of open source and closed source software: An empirical comparison of published vulnerabilities}, booktitle={15th Americas Conference on Information Systems}, author={Schryen, Guido}, year={2009} }","ama":"Schryen G. Security of open source and closed source software: An empirical comparison of published vulnerabilities. In: 15th Americas Conference on Information Systems. ; 2009.","apa":"Schryen, G. (2009). Security of open source and closed source software: An empirical comparison of published vulnerabilities. In 15th Americas Conference on Information Systems.","chicago":"Schryen, Guido. “Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities.” In 15th Americas Conference on Information Systems, 2009.","ieee":"G. Schryen, “Security of open source and closed source software: An empirical comparison of published vulnerabilities,” in 15th Americas Conference on Information Systems, 2009.","short":"G. Schryen, in: 15th Americas Conference on Information Systems, 2009."},"type":"conference","year":"2009","_id":"5647","has_accepted_license":"1","status":"public","date_created":"2018-11-14T14:41:24Z","author":[{"first_name":"Guido","full_name":"Schryen, Guido","last_name":"Schryen","id":"72850"}],"publication":"15th Americas Conference on Information Systems","file_date_updated":"2018-12-18T13:16:39Z","keyword":["Vulnerabilities","security","open source software","closed source software","empirical comparison"],"file":[{"relation":"main_file","date_updated":"2018-12-18T13:16:39Z","content_type":"application/pdf","file_id":"6317","creator":"hsiemes","file_size":483690,"access_level":"open_access","date_created":"2018-12-18T13:16:39Z","file_name":"Security of Open Source and Closed Source Software An Empirical - AMCIS Version.pdf"}],"ddc":["000"],"user_id":"61579","extern":"1","abstract":[{"text":"Reviewing literature on open source and closed source security reveals that the discussion is often determined by biased attitudes toward one of these development styles. The discussion specifically lacks appropriate metrics, methodology and hard data. This paper contributes to solving this problem by analyzing and comparing published vulnerabilities of eight open source software and nine closed source software packages, all of which are widely deployed. Thereby, it provides an extensive empirical analysis of vulnerabilities in terms of mean time between vulnerability disclosures, the development of disclosure over time, and the severity of vulnerabilities, and allows for validating models provided in the literature. The investigation reveals that (a) the mean time between vulnerability disclosures was lower for open source software in half of the cases, while the other cases show no differences, (b) in contrast to literature assumption, 14 out of 17 software packages showed a significant linear or piecewise linear correlation between time and the number of published vulnerabilities, and (c) regarding the severity of vulnerabilities, no significant differences were found between open source and closed source.","lang":"eng"}]},{"_id":"5649","type":"conference","year":"2008","citation":{"chicago":"Schryen, Guido. “Practical Security of Large-Scale Elections: An Exploratory Case Study of Internet Voting in Estonia.” In 7th Workshop on E-Business (WEB 2008, AIS Special Interest Group on E-Business), 2008.","ama":"Schryen G. Practical Security of Large-scale Elections: An Exploratory Case Study of Internet Voting in Estonia. In: 7th Workshop on E-Business (WEB 2008, AIS Special Interest Group on E-Business). ; 2008.","apa":"Schryen, G. (2008). Practical Security of Large-scale Elections: An Exploratory Case Study of Internet Voting in Estonia. In 7th Workshop on e-Business (WEB 2008, AIS Special Interest Group on E-Business).","bibtex":"@inproceedings{Schryen_2008, title={Practical Security of Large-scale Elections: An Exploratory Case Study of Internet Voting in Estonia}, booktitle={7th Workshop on e-Business (WEB 2008, AIS Special Interest Group on E-Business)}, author={Schryen, Guido}, year={2008} }","mla":"Schryen, Guido. “Practical Security of Large-Scale Elections: An Exploratory Case Study of Internet Voting in Estonia.” 7th Workshop on E-Business (WEB 2008, AIS Special Interest Group on E-Business), 2008.","short":"G. Schryen, in: 7th Workshop on E-Business (WEB 2008, AIS Special Interest Group on E-Business), 2008.","ieee":"G. Schryen, “Practical Security of Large-scale Elections: An Exploratory Case Study of Internet Voting in Estonia,” in 7th Workshop on e-Business (WEB 2008, AIS Special Interest Group on E-Business), 2008."},"extern":"1","abstract":[{"lang":"eng","text":"The Estonian parliamentary election in 2007 is regarded as a success story of large-scale Internet elections. I use this election in a single case study on practical security to show that low quality of security and its management does not necessarily prevent large-scale Internet elections from being conducted. I also provide research propositions with regard to future challenges for large-scale Internet elections."}],"ddc":["000"],"user_id":"61579","author":[{"id":"72850","last_name":"Schryen","full_name":"Schryen, Guido","first_name":"Guido"}],"publication":"7th Workshop on e-Business (WEB 2008, AIS Special Interest Group on E-Business)","file_date_updated":"2018-12-18T13:18:21Z","keyword":["Internet voting","large-scale election","Estonian parliamen- tary election","security","security management"],"file":[{"date_created":"2018-12-18T13:18:21Z","file_name":"Schryen - Practical Security of Large-scale Elections - LNBIP - web version.pdf","access_level":"open_access","creator":"hsiemes","file_id":"6320","file_size":273231,"relation":"main_file","date_updated":"2018-12-18T13:18:21Z","content_type":"application/pdf"}],"has_accepted_license":"1","status":"public","date_created":"2018-11-14T14:43:23Z","date_updated":"2022-01-06T07:02:20Z","oa":"1","language":[{"iso":"eng"}],"title":"Practical Security of Large-scale Elections: An Exploratory Case Study of Internet Voting in Estonia","department":[{"_id":"277"}]},{"author":[{"first_name":"Guido","full_name":"Schryen, Guido","last_name":"Schryen","id":"72850"}],"publisher":"Elsevier","keyword":["Address-obfuscating techniques","email","empirical analysis","honeypot","security by design","security by obscurity","spam"],"publication":"Computers & Security","file_date_updated":"2018-12-18T13:27:01Z","file":[{"creator":"hsiemes","file_id":"6326","file_size":3026200,"relation":"main_file","date_updated":"2018-12-18T13:27:01Z","content_type":"application/pdf","date_created":"2018-12-18T13:27:01Z","file_name":"The Impact that Placing Email Addresses on the Internet has on the Receipt of Spam - An Empirical Analysis - Journal version.pdf","access_level":"open_access"}],"volume":2,"status":"public","has_accepted_license":"1","date_created":"2018-11-14T14:53:12Z","extern":"1","abstract":[{"lang":"eng","text":"Email communication is encumbered with a mass of email messages which their recipients have neither requested nor require. Even worse, the impacts of these messages are far from being simply an annoyance, as they also involve economic damage. This manuscript examines the resource ?email addresses?, which is vital for any potential bulk mailer and spammer. Both a methodology and a honeypot conceptualization for implementing an empirical analysis of the usage of email addresses placed on the Internet are proposed here. Their objective is to assess, on a quantitative basis, the extent of the current harassment and its development over time. This ?framework? is intended to be extensible to measuring the effectiveness of address-obscuring techniques. The implementation of a pilot honeypot is described, which led to key findings, some of them being: (1) Web placements attract more than two-thirds (70\\%) of all honeypot spam emails, followed by newsgroup placements (28.6\\%) and newsletter subscriptions (1.4\\%), (2) the proportions of spam relating to the email addresses? top-level domain can be statistically assumed to be uniformly distributed, (3) More than 43\\% of addresses on the web have been abused, whereas about 27\\% was the case for addresses on newsgroups and only about 4\\% was the case for addresses used for a newsletter subscription, (4) Regarding the development of email addresses? attractiveness for spammers over time, the service ?web sites? features a negative linear relationship, whereas the service ?Usenet? hows a negative exponential relationship. (5) Only 1.54\\% of the spam emails showed an interrelation between the topic of the spam email and that of the location where the recipient?s address was placed, so that spammers are assumed to send their emails in a ?context insensitive? manner. The results of the empirical analysis motivate the need for the protection of email addresses through obscuration. We analyze this need by formulating requirements for address obscuring techniques and we reveal to which extent today?s most relevant approaches fulfill these requirements."}],"ddc":["000"],"user_id":"61579","type":"journal_article","year":"2007","citation":{"chicago":"Schryen, Guido. “The Impact That Placing Email Addresses on the Internet Has on the Receipt of Spam ? An Empirical Analysis.” Computers & Security 2, no. 5 (2007): 361–72.","ama":"Schryen G. The Impact that Placing Email Addresses on the Internet has on the Receipt of Spam ? An Empirical Analysis. Computers & Security. 2007;2(5):361-372.","apa":"Schryen, G. (2007). The Impact that Placing Email Addresses on the Internet has on the Receipt of Spam ? An Empirical Analysis. Computers & Security, 2(5), 361–372.","bibtex":"@article{Schryen_2007, title={The Impact that Placing Email Addresses on the Internet has on the Receipt of Spam ? An Empirical Analysis}, volume={2}, number={5}, journal={Computers & Security}, publisher={Elsevier}, author={Schryen, Guido}, year={2007}, pages={361–372} }","mla":"Schryen, Guido. “The Impact That Placing Email Addresses on the Internet Has on the Receipt of Spam ? An Empirical Analysis.” Computers & Security, vol. 2, no. 5, Elsevier, 2007, pp. 361–72.","short":"G. Schryen, Computers & Security 2 (2007) 361–372.","ieee":"G. Schryen, “The Impact that Placing Email Addresses on the Internet has on the Receipt of Spam ? An Empirical Analysis,” Computers & Security, vol. 2, no. 5, pp. 361–372, 2007."},"page":"361-372","_id":"5658","intvolume":" 2","issue":"5","department":[{"_id":"277"}],"title":"The Impact that Placing Email Addresses on the Internet has on the Receipt of Spam ? An Empirical Analysis","language":[{"iso":"eng"}],"date_updated":"2022-01-06T07:02:22Z","oa":"1"},{"author":[{"first_name":"Max","full_name":"Ziegler, Max","last_name":"Ziegler"},{"id":"16243","last_name":"Müller","full_name":"Müller, Wolfgang","first_name":"Wolfgang"},{"first_name":"Robbie","full_name":"Schäfer, Robbie","last_name":"Schäfer"},{"last_name":"Loeser","full_name":"Loeser, Chris","first_name":"Chris"}],"publisher":"IEEE","keyword":["Intelligent networks","Smart homes","Middleware","Project management","Data security","Ubiquitous computing","Context-aware services","Computer architecture","Home automation","Environmental management"],"publication":"Proceedings of the 1st International Workshop on Secure and Ubiquitous Networks (SUN-2005)","department":[{"_id":"672"}],"publication_identifier":{"isbn":["0-7695-2424-9"]},"status":"public","date_created":"2023-01-24T08:39:45Z","place":"Copenhagen, Denmark ","abstract":[{"lang":"eng","text":"Currently, middleware for smart home networks with embedded and mobile devices are in the focus of several investigations. In this paper, we propose a middleware for secure management of device and user profiles by integrating a profile database with a generic authentication scheme for an X.509 enabled ticket management in the context of the OSGi framework. After the introduction of the individual system components and their interaction, we also discuss potential system attacks."}],"title":"Secure Profile Management in Smart Home Networks","user_id":"5786","citation":{"chicago":"Ziegler, Max, Wolfgang Müller, Robbie Schäfer, and Chris Loeser. “Secure Profile Management in Smart Home Networks.” In Proceedings of the 1st International Workshop on Secure and Ubiquitous Networks (SUN-2005). Copenhagen, Denmark : IEEE, 2005. https://doi.org/10.1109/DEXA.2005.171.","apa":"Ziegler, M., Müller, W., Schäfer, R., & Loeser, C. (2005). Secure Profile Management in Smart Home Networks. Proceedings of the 1st International Workshop on Secure and Ubiquitous Networks (SUN-2005). 16th International Workshop on Database and Expert Systems Applications (DEXA’05), Copenhagen, Denmark . https://doi.org/10.1109/DEXA.2005.171","ama":"Ziegler M, Müller W, Schäfer R, Loeser C. Secure Profile Management in Smart Home Networks. In: Proceedings of the 1st International Workshop on Secure and Ubiquitous Networks (SUN-2005). IEEE; 2005. doi:10.1109/DEXA.2005.171","mla":"Ziegler, Max, et al. “Secure Profile Management in Smart Home Networks.” Proceedings of the 1st International Workshop on Secure and Ubiquitous Networks (SUN-2005), IEEE, 2005, doi:10.1109/DEXA.2005.171.","bibtex":"@inproceedings{Ziegler_Müller_Schäfer_Loeser_2005, place={Copenhagen, Denmark }, title={Secure Profile Management in Smart Home Networks}, DOI={10.1109/DEXA.2005.171}, booktitle={Proceedings of the 1st International Workshop on Secure and Ubiquitous Networks (SUN-2005)}, publisher={IEEE}, author={Ziegler, Max and Müller, Wolfgang and Schäfer, Robbie and Loeser, Chris}, year={2005} }","short":"M. Ziegler, W. Müller, R. Schäfer, C. Loeser, in: Proceedings of the 1st International Workshop on Secure and Ubiquitous Networks (SUN-2005), IEEE, Copenhagen, Denmark , 2005.","ieee":"M. Ziegler, W. Müller, R. Schäfer, and C. Loeser, “Secure Profile Management in Smart Home Networks,” presented at the 16th International Workshop on Database and Expert Systems Applications (DEXA’05), Copenhagen, Denmark , 2005, doi: 10.1109/DEXA.2005.171."},"type":"conference","year":"2005","language":[{"iso":"eng"}],"_id":"39050","date_updated":"2023-01-24T08:39:50Z","conference":{"location":"Copenhagen, Denmark ","name":"16th International Workshop on Database and Expert Systems Applications (DEXA'05)"},"doi":"10.1109/DEXA.2005.171"},{"page":"1017-1021","type":"book_chapter","year":"2003","citation":{"ieee":"G. Schryen, “E-Democracy: Internet Voting,” in Proceedings of the IADIS International Conference WWW Internet 2003. vol. 2, Algarve: IADIS Press, 2003, pp. 1017–1021.","short":"G. Schryen, in: Proceedings of the IADIS International Conference WWW Internet 2003. Vol. 2, IADIS Press, Algarve, 2003, pp. 1017–1021.","mla":"Schryen, Guido. “E-Democracy: Internet Voting.” Proceedings of the IADIS International Conference WWW Internet 2003. Vol. 2, IADIS Press, 2003, pp. 1017–21.","bibtex":"@inbook{Schryen_2003, place={Algarve}, title={E-Democracy: Internet Voting}, booktitle={Proceedings of the IADIS International Conference WWW Internet 2003. vol. 2}, publisher={IADIS Press}, author={Schryen, Guido}, year={2003}, pages={1017–1021} }","apa":"Schryen, G. (2003). E-Democracy: Internet Voting. In Proceedings of the IADIS International Conference WWW Internet 2003. vol. 2 (pp. 1017–1021). Algarve: IADIS Press.","ama":"Schryen G. E-Democracy: Internet Voting. In: Proceedings of the IADIS International Conference WWW Internet 2003. Vol. 2. Algarve: IADIS Press; 2003:1017-1021.","chicago":"Schryen, Guido. “E-Democracy: Internet Voting.” In Proceedings of the IADIS International Conference WWW Internet 2003. Vol. 2, 1017–21. Algarve: IADIS Press, 2003."},"language":[{"iso":"eng"}],"_id":"5667","date_updated":"2022-01-06T07:02:25Z","date_created":"2018-11-14T15:01:49Z","status":"public","keyword":["Internet Voting","Online polls","E-Democracy","Security"],"department":[{"_id":"277"}],"publication":"Proceedings of the IADIS International Conference WWW Internet 2003. vol. 2","author":[{"full_name":"Schryen, Guido","first_name":"Guido","id":"72850","last_name":"Schryen"}],"publisher":"IADIS Press","title":"E-Democracy: Internet Voting","user_id":"61579","extern":"1","abstract":[{"text":"Voting via the Internet is part of electronic government and electronic democracy. However, there are many obstacles which have to be overcome, especially legal restrictions have to be transformed into technical and security solutions. In the first part the article discusses advantages and disadvantages of Internet elections, shows different application fields, and presents important international pilot schemes (political and business ones). in the second part, due to democratic basic principles, technological security aspects are worked out.","lang":"eng"}],"place":"Algarve"}]