his.sePublications
Change search
Refine search result
1 - 33 of 33
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Abbas, Assad
    et al.
    University of Skövde, School of Humanities and Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics.
    Design issues related to the knowledge bases of medical decision support systems2010In: Proceedings, ICIIT 2010 International Conference on Intelligence and Information Technology, 28-30 October, 2010, Lahore, Pakistan: Volume 2, Lahore: IEEE conference proceedings, 2010, p. 54-58Conference paper (Refereed)
  • 2. Boldt, Martin
    et al.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics.
    Phishing with Gifts as Bait: Measurement and Analysis of Phishing Attacks within a University Environment2010Conference paper (Refereed)
  • 3.
    Hedström, Karin
    et al.
    Örebro University.
    Jäger, Kerstin
    University of Skövde, School of Technology and Society.
    Krasnizi, Hanife
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Linderoth, Henrik
    University of Skövde, School of Technology and Society.
    Nohlberg, Marcus
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Persson, Anne
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Åhlfeldt, Rose-Mharie
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Vårdens framtida informationssystem - Vision i form av en demonstrator: Slutrapport.2010Report (Other (popular science, discussion, etc.))
  • 4. Huber, Markus
    et al.
    Kowalski, Stewart
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Tjoa, Simon
    Towards Automating Social Engineering Using Social Networking Sites2009In: 2009 International Conference on Computational Science and Engineering, IEEE Computer Society , 2009, p. 117-124Conference paper (Refereed)
    Abstract [en]

    A growing number of people use social networking sites to foster social relationships among each other. While the advantages of the provided services are obvious, drawbacks on a users’ privacy and arising implications are often neglected. In this paper we introduce a novel attack called automated social engineering which illustrates how social networking sites can be used for social engineering. Our approach takes classical social engineering one step further by automating tasks which formerly were very time-intensive. In order to evaluate our proposed attack cycle and our prototypical implementation (ASE bot), we conducted two experiments. Within the first experiment we examine the information gathering capabilities of our bot. The second evaluation of our prototype performs a Turing test. The promising results of the evaluation highlightthe possibility to efficiently and effectively perform social engineering attacks by applying automated social engineering bots.

  • 5.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Eriksson, Fredrik
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    The Development of a Password Classification Model2018In: Journal of Information System Security, ISSN 1551-0123, E-ISSN 1551-0808, Vol. 14, no 1, p. 31-46Article in journal (Refereed)
    Abstract [en]

    In order to ensure that we are the only ones that can access our data, we use authentication to secure our computers and different online accounts. Passwords remain the most common type of authentication, even if there are several different ways to authenticate, including biometrics and tokens. With this study we aim to reveal and collect the different strategies that users are using when designing their passwords. To achieve this, a model was developed using interactive interviews with computer forensic experts. The model was then applied on 5,000 passwords gathered from 50 different password databases that had leaked to the Internet. The result is a model that can be used to classify passwords based on the strategy used to create them. As such, the results of this study increase the understanding of passwords and they can be used as a tool in education and training, as well as in future research.

  • 6.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Eriksson, Fredrik
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Understanding passwords – a taxonomy of password creation strategies2019In: Information and Computer Security, E-ISSN 2056-4961, Vol. 27, no 3, p. 453-467Article in journal (Refereed)
    Abstract [en]

    Purpose Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remains the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to present a taxonomy of those password creation strategies in the form of a model describing various strategies used to create passwords. Design/methodology/approach The study was conducted in a three-step process beginning with a short survey among forensic experts within the Swedish police. The model was then developed by a series of iterative semi-structured interviews with forensic experts. In the third and final step, the model was validated on 5,000 passwords gathered from 50 different password databases that have leaked to the internet. Findings The result of this study is a taxonomy of password creation strategies presented as a model that describes the strategies as properties that a password can hold. Any given password can be classified as holding one or more of the properties outlined in the model. Originality/value On an abstract level, this study provides insight into password creation strategies. As such, the model can be used as a tool for research and education. It can also be used by practitioners in, for instance, penetration testing to map the most used password creation strategies in a domain or by forensic experts when designing dictionary attacks.

  • 7.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Marcus, Nohlberg
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Online Fraud Defence by Context Based Micro Training2015In: Online Fraud Defence by Context Based Micro Training / [ed] Steven M. Furnell, Nathan L. Clarke, University of Plymouth Press, 2015, p. 256-264Conference paper (Refereed)
    Abstract [en]

    Online frauds are a category of Internet crime that has been increasing globally over the past years. Online fraudsters use a lot of different arenas and methods to commit their crimes and that is making defence against online fraudsters a difficult task. Today we see continuous warnings in the daily press and both researchers and governmental web-pages propose that Internet users gather knowledge about online frauds in order to avoid victimisation. In this paper we suggest a framework for presenting this knowledge to the Internet users when they are about to enter a situation where they need it. We provide an evaluation of the framework that indicates that it can both make users less prone to fraudulent ads and more trusting towards legitimate ads. This is done with a survey containing 117 participants over two groups where the participants were asked to rate the trustworthiness of fraudulent and legitimate ads.. One groups used the framework before the rating and the other group did not. The results showed that, in our study, the participants using the framework put less trust in fraudulent ads and more trust in legitimate ads. 

  • 8.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Defining and modeling the online fraud process2018In: Proceedings of the twelfth International Symposium on Human Aspects of Information Security & Assurance: HAISA 2018 / [ed] Nathan L. Clarke, Steven M. Furnell, Plymouth: University of Plymouth Press, 2018, p. 203-213Conference paper (Refereed)
  • 9.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Using Context Based MicroTraining to Develop OER for the Benefit of All2019In: Proceedings of the 15th International Symposium on Open Collaboration, OpenSym 2019, 20-22 August 2019, Skövde, Sweden, New York: ACM Digital Library, 2019, article id A7Conference paper (Refereed)
    Abstract [en]

    This paper demonstrates how Context Based MicroTraining (CBMT) can be used to develop open educational resources in a way that benefits students enrolled in university courses as well as anyone who wants to participate in open-learning activities. CBMT is a framework that provides guidelines for how educational resources should be structured. CBMT stipulates that information should be presented in short sequences and that is relevant for the learner’s current situation. In this paper, CBMT is implemented in a practical ICT course using video lectures that are delivered as open educational resources using YouTube. The experiences of enrolled students as well as YouTube users are evaluated as well as the actual results of the enrolled students. The results of the study suggest that users of the video lectures appreciate the learning approach. The actual results, i.e. learning outcomes, of the enrolled students are maintained. The study also demonstrates how using CBMT as open educational resources can free up time for teachers and increase the quality of teaching by benefitting from community feedback.

  • 10.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Skärgård, Marie
    University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Users perception of using CBMT for informationsecurity training2019In: Proceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019) / [ed] Steven M. Furnell, Nathan L. Clarke, University of Plymouth Press, 2019, p. 122-131Conference paper (Refereed)
    Abstract [en]

    It is well established that user behavior is a crucial aspect of information security and archivingsecure behavior through awareness and security training is the go-to solution proposed bypractitioners as well as the research community. Thus, there is a dire need for efficient trainingmethods for use in the security domain. This paper introduces ContextBased MicroTraining(CBMT), a framework for information security training that dictated that information securitytraining should be delivered to end users in short-sequences when the users are in a situationwhere the training is needed. Further, the users' perception of CBMT in evaluated in an onlinesurvey where about 200 respondents are subjected to training material and asked about how theyperceived them. The results show that users like the training material designed according to theCBMT framework and would prefer to use CBMT over other traditional methods of informationsecurity training.

  • 11.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Zaxmy, Johan
    University of Skövde, School of Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Analysing the Usage of Character Groups and Keyboard Patterns in Password Usage2019In: Proceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019) / [ed] Steven M. Furnell, Nathan L. Clarke, University of Plymouth Press, 2019, p. 155-165Conference paper (Refereed)
    Abstract [en]

    Even with the advances in different methods for authentication, passwords remain the mostcommon approach for authentication as well as for encryption of user data. Password guessingattacks have grown to be a vital part of computer forensics as well as penetration testing. In thispaper, we seek to provide a statistical analysis of password composition by analyzing whatcharacter sets that are most commonly used in over 1 billion leaked passwords in over 20different databases. Further, we use a survey to analyze if users that actively encrypt data differfrom the norm. The results of this study suggest that American lowercase letters and numbersare the, by far, most commonly used character sets and that users who actively encrypt data usekeyboard patterns and special characters more frequently than the average user.

  • 12.
    Kävrestad, Joakim
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Åhlfeldt, Rose-Mharie
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Johani, Karonen
    University of Skövde.
    Kowalski, Stewart
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Spiraling out in control: A Video Cartesian Dialectic on a Socio-technical Approach to Teaching Privacy, Information- and Cyber Security (PICS)2019In: Socio-Technical Perspective in IS Development 2019: Proceedings of the 5th International Workshop on Socio-Technical Perspective in IS Development (STPIS 2019) co-located with 27th European Conference on Information Systems (ECIS 2019) / [ed] Stewart Kowalski, Peter Bednar, Alexander Nolte, Ilia Bider, CEUR-WS , 2019, Vol. 2398, p. 153-155Conference paper (Refereed)
  • 13.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks2008Doctoral thesis, comprehensive summary (Other academic)
    Abstract [en]

    Social engineering denotes, within the realm of security, a type of attack against the human element during which the assailant induces the victim to release information or perform actions they should not. Our research on social engineering is divided into three areas: understanding, measuring and protecting. Understanding deals with finding out more about what social engineering is, and how it works. This is achieved through the study of previous work in information security as well as other relevant research areas. The measuring area is about trying to find methods and approaches that put numbers on an organization’s vulnerability to social engineering attacks. Protecting covers the ways an organization can use to try to prevent attacks. A common approach is to educate the users on typical attacks, assailants, and their manipulative techniques. In many cases there are no preventive techniques, dealing with the human element of security, in place.

    The results show that social engineering is a technique with a high probability of success. Furthermore, defense strategies against it are complicated, and susceptibility to it is difficult to measure. Important contributions are a model describing social engineering attacks and defenses, referred to as the Cycle of Deception, together with a thorough discussion on why and how social engineering works. We also propose new ways of conducting social engineering penetration testing and outline a set of recommendations for protection. It is crucial to involve managers more, but also to train the users with practical exercises instead of theoretical education, for example, by combining measuring exercises and penetration testing with training. We also discuss the future threat of Automated Social Engineering, in which software with a simple form of artificial intelligence can be used to act as humans using social engineering techniques online, making it quite hard for Internet users to trust anyone they communicate with online.

  • 14.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics.
    Social Engineering Audits Using Anonymous Surveys: Conning the Users in Order to Know if They Can Be Conned2005In: CD-ROM Proceedings of the 4th Security Conference, Las Vegas, USA, 30-31 March 2005, 2005Conference paper (Refereed)
    Abstract [en]

    It is important to know the security readiness of any organization in order to strengthen it. One often neglected aspect of security is the human element, which is often attacked by social engineering” techniques. This paper studies to what extent users are aware and susceptible to common social engineering attacks, and if a quantitative approach to enetration testing of social engineering can be used. By employing a quantitative study under the false pretense of studying “micro efficiency”, an organization with above average skilled users was surveyed on three classic social engineering cons. The results indicate that the approach could be useful as a part of, or as a stand alone auditing technique. The human element is not only vulnerable, but vulnerable to the extent that it shadows most other security measures. The author argues for the necessity of education in order to counter the serious threat of social engineering, since it in many cases complies with the principle of adequate protection.

  • 15.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Why Humans are the Weakest Link2008In: Social and Human Elements of Information Security: Emerging Trends and Counter-measures / [ed] Manish Gupta, Raj Sharman, Hershey, PA: IGI Global, 2008, p. 15-26Chapter in book (Refereed)
    Abstract [en]

     

    This chapter introduces the concept of social psychology, and what forms of deception humans are prone to fall for. It presents a background of the area and a thorough description of the most common and important influence techniques. It also gives more practical examples of potential attacks, and what kind of influence techniques they use, as well as a set of recommendations on how to defend against deception, and a discussion on future trends. The author hopes that the understanding of why and how the deceptive techniques work will give the reader new insights into information security in general, and deception in particular. This insight can be used to improve training, to discover influence earlier, or even to gain new powers of influence.

     

     

  • 16.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Bäckström, Johannes
    Talking security to managers: How to do it2007In: Proceedings of the 6th International Conference on Perspectives in Business Information Research - BIR'2007 / [ed] Jyrki Nummenmaa and Eva Söderström, Tampere University , 2007, p. 104-113Conference paper (Refereed)
    Abstract [en]

    Seven security specialists working close to managers were interviewed about what managers wanted to know about security, as well as other security issues and asked to perform a scenario. This information was analyzed, and the major conclusion of the study is that managers are interested in knowing about security mainly regarding financial and strategic matters, formulated in managerial terms rather than technical and grouped in sets of crossinformationrather than individual detailed data. A trend of giving the users themselves more responsibility for security was also noticed which is potentially worrisome due to the increased insider threat.

  • 17.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Johannes, Bäckström
    Department of Computer and Information Science, University of Linköping, Linköping, Sweden.
    User-centered security applied to the development of a management information system2007In: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 15, no 5, p. 372-381Article in journal (Refereed)
    Abstract [en]

    Purpose – This paper aims to use user-centred security development of a prototype graphical interface for a management information system dealing with information security with upper-level management as the intended users.

    Design/methodology/approach – The intended users were studied in order to understand their needs. An iterative design process was used where the designs were first made on paper, then as a prototype interface and later as a final interface design. All was tested by subjects within the target user group.

    Findings – The interface was perceived as being successful by the test subjects and the sponsoring organization, Siguru. The major conclusion of the study is that managers use knowledge of information security mainly for financial and strategic matters which focus more on risk issues than security issues. To facilitate the need of managers the study presents three heuristics for the design of management information security system interfaces.

    Research limitations/implications – This interface was tested on a limited set of users and further tests could be done, especially of users with other cultural/professional backgrounds.

    Practical implications – This paper presents a useful set of heuristics that can be used in development of management information systems as well as other practical tips for similar projects.

    Originality/value – This paper gives an example of a successful user-centred security development process. The lessons learned could be beneficial in software development in general and security products in particular.

  • 18.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Kowalski, Stewart
    Stockholms universitet, Samhällsvetenskapliga fakulteten, Institutionen för data- och systemvetenskap.
    The cycle of deception: a model of social engineering attacks, defenses and victims2008In: Proceedings of the Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008) / [ed] Nathan Clarke, Steven Furnell, University of Plymouth , 2008, p. 1-11Conference paper (Refereed)
    Abstract [en]

    In this paper we propose a model for describing deceptive crimes in general and social engineering in particular. Our research approach was naïve inductivist and the methods used were literature study and interviews with the lead investigator in a grooming case, as we see many similarities between the techniques used in grooming, and those used in social engineering. From this we create cycles describing attacker, defender, and the victim and merge them into a model describing the cycle of deception. The model is then extended into a possible deception sphere. The resulting models can be used to educate about social engineering, to create automated social engineering attacks, to facilitate better incident reporting, and to understand the impact and economical aspects of defenses.

  • 19.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Kowalski, Stewart
    Stockholms universitet, Samhällsvetenskapliga fakulteten, Institutionen för data- och systemvetenskap (Säkerhetsinformatik).
    Huber, Markus
    Stockholms universitet, Samhällsvetenskapliga fakulteten, Institutionen för data- och systemvetenskap (Säkerhetsinformatik).
    Measuring Readiness for Automated Social Engineering2008In: Proceedings of the 7th Annual Security Conference, Las Vegas, USA, June 2-3, 2008 [CD-ROM], 2008, p. 20.1-20.13Conference paper (Refereed)
    Abstract [en]

    This paper presents the result of a case study of the readiness of four large Swedish multinational corporations to deal with automated social engineering attacks. A preliminary study to review how the security policy of a large corporation deals with social engineering attacks was performed. The results from this study were combined with a conceptual model of social engineering when constructing a new interview protocol and a grading scale. This interview protocol was designed to measure the readiness of an organization to deal with social engineering attacks in general, and in this case with automated social engineering in particular. Four interviews were conducted with senior security managers and senior employees. Results indicate that no organization was over 60% on the readiness scale and thus all are considered at risk of attack.

  • 20.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics.
    Kowalski, Stewart
    Department of Computer and Systems Sciences, Stockholm University/Royal Institute of Technology, Stockholm, Sweden.
    Karlsson, Kerstin
    University of Skövde, School of Humanities and Informatics.
    Ask and you shall know: using interviews and the SBC model for social-engineering penetration testing2008In: Proceedings of the 1st International Multi-Conference on Engineering and Technological Innovation; IMETI 2008: Volume I / [ed] Chu Hsing-Wei, Estrems Manuel, Ferrer José, Franco Patricio, Savoie Michael, Orlando: International Institute of Informatics and Systemics, 2008, p. 121-128Conference paper (Refereed)
    Abstract [en]

    This paper presents the result of a case study where the SBC model was used as a foundation to perform semi-structured interviews to test the security in a medical establishment. The answers were analyzed and presented in an uncomplicated graph. The purpose was to study the feasibility of letting the users participate, instead of exploiting their weaknesses. It was found that the approach of interviewing the subjects rendered interesting, and relevant, results, making it an approach that should be studied further due to its apparent gains: less ethically troublesome penetration testing, increased awareness, improved coverage and novel information as added bonuses.

  • 21.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics. University of Skövde, The Informatics Research Centre.
    Kowalski, Stewart
    Karlsson, Kerstin
    University of Skövde.
    Non-Invasive Social Engineering Penetration Testing in a Medical Environment2008In: Proceedings of the 7th Annual Security Conference [CD-ROM], 2008, p. 22.1-22.13Conference paper (Refereed)
    Abstract [en]

    This paper proposes a soft approach for social engineering penetration testing. By using the SBC model as a foundation, questions related to the social element of security were asked in semi-structured interviews to a group of subjects. The answers were analyzed and presented in an uncomplicated graph. The purpose was to study the feasibility of letting the users participate, instead of exploiting their weaknesses. It was found that the approach of interviewing the subjects rendered interesting, and relevant, results, making it an approach that should be studied further due to its apparent gains: less ethically troublesome penetration testing, increased awareness, improved coverage and novel information as added bonuses.

  • 22.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Technology and Society. University of Skövde, School of Humanities and Informatics.
    Wangler, Benkt
    University of Skövde, School of Humanities and Informatics.
    Kowalski, Stewart
    Stockholm University, Sweden.
    A Conceptual Model of Social Engineering2011In: Journal of Information System Security, ISSN 1551-0123, E-ISSN 1551-0808, Vol. 7, no 2, p. 3-13Article in journal (Refereed)
    Abstract [en]

    Social engineering is a term used for techniques to trick, or con, users into giving out information to someone that should not have it. In this paper we discuss and model various notions related to social engineering. By using a broad, cross disciplinary approach, we present a conceptual model of the different kinds of social engineering attacks, and their preparation, the victim and the perpetrator, as well as the cultural aspects. By using this approach a better general understanding of social engineering can be reached. The model is also a good tool for teaching about and protecting against social engineering attacks.

  • 23.
    Nohlberg, Marcus
    et al.
    University of Skövde, School of Humanities and Informatics.
    Wangler, Benkt
    University of Skövde, School of Humanities and Informatics.
    Kowalski, Stewart
    Stockholm University, Sweden.
    A Conceptual Model of Social Engineering2010Conference paper (Refereed)
  • 24.
    Rocha Flores, Waldo
    et al.
    Industrial Information and Control Systems, Royal Institute of Technology, Stockholm, Sweden.
    Holm, Hannes
    Swedish Defense Research Agency (FOI), Linköping, Sweden.
    Ekstedt, Mathias
    Industrial Information and Control Systems, Royal Institute of Technology, Stockholm, Sweden.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Investigating the correlation between intention and action in the context of social engineering in two different national cultures2015In: Proceedings of the 48th Annual Hawaii International Conference on System Sciences: HICSS 2015 / [ed] Tung X. Bui, Ralph H. Sprague Jr., IEEE Computer Society, 2015, p. 3508-3517Conference paper (Refereed)
  • 25.
    Rocha Flores, Waldo
    et al.
    Industrial Information and Control Systems, Royal Institute of Technology, Stockholm, Sweden.
    Holm, Hannes
    Swedish Defense Research Agency (FOI), Linköping, Sweden.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Ekstedt, Mathias
    Industrial Information and Control Systems, Royal Institute of Technology, Stockholm, Sweden.
    An empirical investigation of the effect of target-related information in phishing attacks2014In: IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations EDOCW 2014: 1-2 September 2014 Ulm, Germany: Proceedings / [ed] Georg Grossmann, Sylvain Hallé, Dimka Karastoyanova, Manfred Reichert & Stefanie-Rinderle-Ma, IEEE Computer Society, 2014, p. 357-363Conference paper (Refereed)
  • 26.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Andersén, Annelie
    University of Skövde, School of Health and Education.
    Eriksson, Nomie
    University of Skövde, School of Business. University of Skövde, Enterprises for the Future.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Bergström, Erik
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Fischer Hübner, Simone
    Karlstads universitet.
    Kompetensbehov och kompetensförsörjning inom informationssäkerhet från ett samhällsperspektiv2015Report (Other academic)
    Abstract [sv]

    På uppdrag av Myndigheten för samhällsskydd och beredskap (MSB) har en studie genomförts med syftet att komplettera resultatet från en tidigare genomförd förstudie (Åhlfeldt m.fl., 2014) med en analys av kompetensförsörjning och kompetensbehov på informations­säkerhetsområdet från ett samhällsperspektiv. Arbetet har genomförts av forskare från två lärosäten, Högskolan i Skövde och Karlstad Universitet, samt inom tre forskningsdiscipliner: pedagogik, informationssäkerhet och företagsekonomi.

    Uppdraget har varit att besvara följande frågeställningar:

    • Vilka är kompetensbehoven för att ha en god och balanserad informationssäkerhet som bidrar till samhällets informationssäkerhet?
      • Samtida kompetensbehov (nuläget)
      • Framtida kompetensbehov
      • Hur ska nödvändig kompetens erhållas och på vem ligger ansvaret?
      • Utifrån ovanstående frågeställningar, vilka är de viktigaste framgångsfaktorerna?

    Arbetet har genomförts i form av fokusgrupper med representanter från myndigheter och företag som har en nära verksamhetskoppling till samhällets informationssäkerhet och som är viktiga för att samhällets informationssäkerhet ska fungera.

    Resultatet visar att det finns stora brister avseende informationssäkerhetskompetens på alla nivåer i samhället. Tre tydliga områden pekas ut 1) nationellt - ökat behov av starkare styrning och ledning samt kravställning 2) organisation - ökat behov av kompetens från ledning till medarbetare men med starkt fokus på kompetenshöjande åtgärder på ledningsnivå samt vid upphandling och 3) medborgarperspektivet där framförallt skolområdet lyfts fram som ett viktigt insatsområde för kompetenshöjande åtgärder.

    För att uppnå nödvändig kompetens krävs utbildningsinsatser på alla ovan angivna områden. Dels utbildningar på akademisk nivå för informationssäkerhetsexperter men även övriga utbildningar inom t ex juridik och ekonomi. Även yrkesverksamma på organisationsnivå behöver riktade kompetenshöjande åtgärder som sätter informationssäkerhet i fokus utifrån organisationens verksamhetsbehov, allt ifrån ledningsnivå till medarbetarnivå.

    Resultatet visar även att ansvaret för samhällets kompetensförsörjning för informationssäkerhet ligger även den på alla ovan nämnda tre områden men med tydlig betoning på nationell nivå. Här betonas behovet av nationella krav för att medvetandegöra och lyfta informations­säkerheten i samhällsviktig verksamhet för att nå så många medborgare som möjligt.  

    Förslag på framtida arbete avseende utveckling av metoder för framtida studier av kompetensförsörjningen pekar främst på metoder för att angripa bristen på helhetssyn samt kompetensförsörjning för management och medborgare.

  • 27.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Fischer Hübner, Simone
    Karlstad University.
    Carlén, Urban
    University of Skövde, School of Health and Education. University of Skövde, Health and Education.
    Andersén, Annelie
    University of Skövde, School of Health and Education. University of Skövde, Health and Education.
    Eriksson, Nomie
    University of Skövde, School of Business. University of Skövde, Enterprises for the Future.
    Björck, Fredrik
    Stockholms Universitet.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Förstudie kompetensbehov informationssäkerhet2014Report (Other (popular science, discussion, etc.))
    Abstract [sv]

    På uppdrag av Myndigheten för samhällsskydd och beredskap (MSB) har en förstudie genomförts med syftet att sammanställa forskningsresultat om kompetenshöjande åtgärder inom informationssäkerhetsområdet för att kartlägga utbildningsbehov och identifierade nyttoeffekter. Arbetet har genomförts av forskare från tre olika lärosäten, Högskolan Skövde, Karlstad Universitet och Stockholms Universitet, samt inom tre forskningsdiscipliner nämligen pedagogik, informationssäkerhet och företagsekonomi.

    Förstudien har haft i uppdrag att besvara följande frågeställningar:

    • Hur definieras kompetens?

    • Hur mäter man kompetens?

    • Hur skiljer sig olika typer av utbildningsinsatser avseende nyttoeffekter? Vilka erfarenheter,

      utvärderingar förklaringsfaktorer kan identifieras?

    • Hur och i vilken utsträckning tillgodogörs olika typer av utbildningar?

    • Vad kännetecknar framgångsrika utbildningsinsatser?

      Resultatet visar att kompetensbegreppet är svårdefinierat och det finns ingen tydlig definition av begreppet. Ett försök till en sammanfattande beskrivning av kompetensbegreppet utifrån granskningen är att kompetens innebär en viss uppsättning kunskaper, färdigheter, etik och attityder i en viss kontext. Kompetens innefattar både egenskaper och intentioner där egenskap inkluderar kunskap och färdighet, och intentioner innefattar etik och attityder. Allt måste dock relatera till en kontext och alltid ses i sitt sammanhang.

      Ytterst få studier har fokus på mätning av kompetens både generellt och inom informationssäkerhetsområdet. De studier som genomfört någon form av mätning mäter främst kompetens utifrån det akademiska fältet och då i första hand utifrån ett kunskapsperspektiv. Forskning av mätning på yrkesverksamma är minimal inom de sökområden som granskats i denna förstudie.

      Avseende kompetensbehov, nyttoeffekter, erfarenheter och framgångsfaktorer visar granskningen att framgångsfaktorer generellt är när utbildningsinsatserna för yrkesverksamma har ett praktiknära fokus. Motivationen och engagemanget hos de som går en utbildning är av avgörande betydelse. Det går inte direkt att avgöra vilka utbildningstyper eller aktiviteter som är av störst betydelse utan granskningen visar att en kombination av olika utbildningsformer och aktiviteter är att föredra. Vidare är dialog och diskussion i den dagliga verksamheten av stor betydelse för att bygga upp en hållbar säkerhetskultur i organisationen. Den s k tysta kunskapen ska inte underskattas utan behöver tas i beaktande och stödjas.

      Ytterligare är ledningens engagemang, delaktighet och stöd för utbildningens genomförande av avgörande betydelse om en utbildning ska uppnå en tydlig effekt i verksamheten.

      Granskningen visar att det finns behov av ytterligare forskning avseende kompetensbehov och på vilket sätt olika utbildningsinsatser ger effekt i organisationer. Förslag på ett diskussionsunderlag för framtida arbete har tagits fram. Förslagen innefattar bl a behov av kompetensanalyser, metoder och verktyg för att mäta utbildningseffekter, riktade kompetenshöjande insatser för managementnivån, longitudinella studier för uppföljning av effekter samt utveckling av metoder och verktyg för ett situerat lärande.

    Granskningen har genomförts inom olika disciplinområden vilket har uppfattats mycket positivt av de deltagande forskarna. Eftersom informationssäkerhet är ett interdisciplinärt område krävs också att bredare perspektiv och ytterligare discipliner bör ingå i framtida fördjupade analyser i området. Exempel på tillkommande discipliner är beteendevetenskap, psykologi och juridik. Behovet av kompetens inom informationssäkerhetsområdet lär inte minska i framtiden och ytterligare forskning behövs för att rätt utbildning ska nå rätt person vid rätt tidpunkt och på rätt plats.

    Skövde i mars 2014

  • 28.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, School of Humanities and Informatics.
    Nohlberg, Marcus
    University of Skövde, School of Humanities and Informatics.
    System and Network Security in a Heterogeneous Healthcare Domain: A Case Study2005In: CD-ROM Proceedings of the 4th Security Conference, Las Vegas, USA, 30-31 March 2005, 2005Conference paper (Refereed)
  • 29.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Nohlberg, Marcus
    University of Skövde, The Informatics Research Centre. University of Skövde, School of Humanities and Informatics.
    Göransson, Monika
    Västra Götalandsregionen.
    Lindström, Valter
    Västra Götalandsregionen.
    Planering för införande av ledningssystem för informationssäkerhet: Utvärderingsrapport av genomförd uppdragsutbildning2012Report (Other (popular science, discussion, etc.))
  • 30.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Söderström, Eva
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Lennerholt, Christian
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    van Laere, Joeri
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Current Situation Analysis of Information Security Level in Municipalities2018In: Journal of Information System Security, ISSN 1551-0123, E-ISSN 1551-0808, Vol. 14, no 1, p. 3-19Article in journal (Refereed)
    Abstract [en]

    Municipalities manage a significant part of society's services, and hence they also handle a vast amount of information. A municipality's activities include managing a significant part of society's services, and municipalities’ supply and management of information are, therefore, critical for society in general, and also for achieving the municipalities’ own operational goals. However, research shows weaknesses in the municipalities' work on information security, and there is a need to study and identify the current level of security.

    This paper presents the result from a GAP analysis mapping the current situation of Swedish municipalities' for systematic information security work, based on the demands made on municipalities from both research and social perspectives. The result shows that the information security level regarding the systematic security work is generally low, and that there is a need to implement adapted tools for Information Security Management Systems in order to support municipalities.

  • 31.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Söderström, Eva
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Lennerholt, Christian
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    van Laere, Joeri
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Current Situation Analysis of Information Security Level in Municipalities2018In: Proceedings of the Annual Information Institute Conference / [ed] Gurpreet Dhillin, Spyridon Samonas, The Information Institute , 2018Conference paper (Refereed)
    Abstract [en]

    Municipalities manage a significant part of society's services, and hence also handle a vast amount of information. A municipality's activities include managing a significant part of society's services, and the municipality's supply and management of information are, therefore, critical for society in general, but also for achieving the municipality's own operational goals. However, investigations show weaknesses in the municipalities' work on information security, and there is a need to study and identify the current level of security. This paper presents the result from a GAP analysis mapping the Swedish municipalities current situation for systematic information security work, based on the demands made on municipalities from both research and social perspectives. The result shows that the information security level regarding systematic security work is generally low and that there is a need for adapted tools for Information Security Management Systems in order to support municipalities.

  • 32.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Söderstöm, Eva
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Länsstyrelsernas förutsättningar att stödja kommuner gällande informationssäkerhet2017Report (Other academic)
    Abstract [sv]

    En studie har genomförts av Högskolan i Skövde på uppdrag av Myndigheten för Samhällsskydd och beredskap (MSB) med syfte att kartlägga länsstyrelsernas faktiska möjligheter att samordna och stödja kommunernas arbete avseende informationssäkerhet. Arbetet har även inkluderat hur länsstyrelserna arbetar med att samordna och stödja kommunernas arbete avseende informationssäkerhet. Kartläggningen genomfördes hos sju utvalda länsstyrelser under perioden oktober 2016 till januari 2017 genom intervjuer av representanter från varje länsstyrelse.

    Resultatet visar att länsstyrelserna behöver ett tydligt uppdrag med tillhörande mandat och resurser för att ha förutsättningar att kunna samordna och stödja kommunerna i deras informationssäkerhetsarbete. Detta anser de involverade länsstyrelserna saknas i nuläget. Dessutom visar resultatet på att det finns omfattande kompetensbrist inom informationssäkerhetsområdet. Kompetensbristen finns såväl i det interna arbetet som i det externa arbetet ut mot kommunerna, allt från ledningsnivå till operativ nivå. Det finns även behov av tydligare roller både strategiskt och operativt för att sätta igång arbetet och möjliggöra en tydligare överblick. Detta behövs för att ge förutsättningar till länsstyrelserna för att kunna samordna och stödja länsstyrelserna i informationssäkerhetsarbetet relaterat till kris och höjd beredskap men även för att erhålla en strategisk helhetssyn på informationssäkerhetsarbetet utifrån ett samhällsperspektiv.

  • 33.
    Åhlfeldt, Rose-Mharie
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Söderstöm, Eva
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Lennerholt, Christian
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    van Laere, Joeri
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Metod och kartläggning av informationssäkerhet för kommuner i Västra Götaland2016Report (Other (popular science, discussion, etc.))
    Abstract [sv]

    Information är ett viktigt arbetsverktyg för alla typer av verksamheter, inklusive kommunalverksamhet. Kommuner hanterar en betydande del av samhällets tjänster varför kommunensinformationsförsörjning blir en kritisk del för samhällets informationssäkerhet. En säkerinformationshantering är en verksamhetsfråga och omfattar därför hela kommunens verksamhet.Utredningar visar dock på brister hos kommunernas arbete med informationssäkerhet och det finnsett behov av att se över detta arbete och identifiera nuvarande säkerhetsnivå.Högskolan i Skövde och forskargruppen i Informationssystem fick i uppdrag av VästKom ochSkaraborgs femton kommuner att dels utveckla metoden för genomförande av en Gap-analys medutgångspunkt från det nationella metodstödet som finns på informationssäkerhet.se, dels praktisktgenomföra en Gap-analys utifrån metodutvecklingen i Skaraborgs femton kommuner. I arbetet medmetodutvecklingen ingick aktiviteterna att 1) uppdatera checklistan i Gap-analysen till ny version, 2)kommunanpassa vilka åtgärder som anses kritiska för en kommun samt anpassa de roller som ingår ianalysen till kommunal kontext, 3) utveckla ett förenklat IT-verktyg som stöd för analysarbetet.Projektet varade mellan april 2015 och januari 2016. Metodutvecklingen samt planering förkartläggningen hos kommunerna genomfördes under våren och själva kartläggningen genomfördesunder första delen av hösten. Analysarbetet och sammanställning av resultat har sedan pågått underresterande del av 2015 och presenterats och slutrapporterats under januari månad 2016.Resultatet av metodutvecklingen har genererat dels en uppdaterat checklista för genomförande aven Gap-analys där kritiska åtgärder för kommunerna har identifierats. Dessutom har enrollförteckning anpassad för kommunal kontext upprättats. Ett förenklat IT-verktyg har ocksåutformats mest i syfte att visa på vilka krav på design och övriga förbättringar som behövs för att fåett effektivt och användbart IT-stöd vid genomförande av en Gap-analys.Resultatet av kartläggningen i Skaraborgs femton kommuner visar generellt på att kommunerna harbrister vad gäller det systematiska informationssäkerhetsarbetet. Främst handlar bristerna om attfundamentet för ett systematiskt informationssäkerhetsarbete saknas i de flesta kommunerna, d v s.styrdokument, organisation och ansvar kring informationssäkerhetsarbetet brister. Dessutom visarkartläggningen på stort behov av ökad kompetens inom informationssäkerhetsområdet.Fortsatt arbete i form av samverkan mellan kommunerna i Västra Götaland ses som enframgångsfaktor. Det är unikt att ha gjort denna form av gemensamt arbete och därför finnspotential för att fortsätta arbetet med att införa ett systematiskt informationssäkerhetsarbete ikommunerna och då främst genom att samarbeta kring aktiviteter i ett införande av ettledningssystem för informationssäkerhet

1 - 33 of 33
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf