PICS Seminars 2024
Current event - April
Date: 18 Apr 2024, 13:00-14:00 Where: Zoom
Title: Stöd till styrelser vid styrning av verksamhetens IT (Support for corporate boards in managing the IT of their businesses)
Speaker: Thomas Verner, ISACA
Abstract: This session is presented from a board member perspective and aimed at the corporate governance in a Swedish legal context. The material and publication are in Swedish - however the presentation and Q&A will be performed in English. In the intricate landscape of corporate governance, the relationship between boards and IT & cyber security remains pivotal yet often fraught with challenges. In this session, we delve into a publication crafted through the collaborative efforts of local ISACA and IIA chapters in Sweden, aimed at guiding board members to navigate the strategic realm of IT and cyber security while maintaining a hands-off approach to tactical and operational decisions. The session sheds light on the essence of this publication, unravels its implicit messages and explores the uncharted territories. Drawing from real-world experiences as a board member, board chairman, IT governance and IT outsourcing consultancy he provides guidance for not only board members but also CEOs and operational management to comprehend the strategic imperatives of IT & cyber security. By aligning decision-making processes with the nuanced dynamics of IT & cyber security, organizations can avert pitfalls and harness opportunities in an ever-evolving digital landscape. In this session we demystify the symbiotic relationship between boards and IT & cyber security, equipping attendees with actionable insights to fortify corporate resilience and drive sustainable growth in an era where IT & cyber security is paramount.
Bio: Thomas Verner has 45+ years of broad experiences in the global IT industry. Starting with hardware and software development, sales and marketing, his later career specialties involve IT governance, IT organization structures and development, IT cost management, quality and project risk management, IT outsourcing strategy, contracting, transition and governance. He holds an Executive MBA from INSEAD, France, He is a certified board chairman and currently the Secretary to the Sweden Chapter of ISACA.
Previous seminar slides:
- SLIDES 2023-04-13 (pdf) Manfred Jeusfeld
- SLIDES 2023-03-22 (pdf) Steven Furnell
- SLIDES 2023-02-23 (pdf) Raimundas Matulevicius
- SLIDES 2023-05-11 (pdf) Catharina Gillsjö
- SLIDES 2023-09-14 (pdf) Ali Padyab
- SLIDES 2023-10-12 (pdf) Björn Lundell
- SLIDES 2023-12-07 (pdf) Oskar MacGregor
Upcoming PICS Seminars
Spring 2024
May
Date: 16 May 2024 TBD, 13:00-14:00 Where: Zoom
Title: TBD
Speaker: TBD
Abstract: TBD
Bio: TBD
June
Date: 13 Jun 2024 TBD, 13:00-14:00 Where: Zoom
Title: Deepfake AI
Speaker: Roland Pucher, Senior Manager, Cybersecurity & Privacy at PwC Austria
Abstract: TBD
Bio: TBD
Fall 2024
TBD
Special request to companies:
PICS-Exjobb – samarbete med företag (in Swedish)
PICS forskargrupp söker företag som är intresserade av att erbjuda exjobb till våra mastersstudenter. Anta att ditt företag har utmaningar inom området integritet, informationssäkerhet och cybersäkerhet som kräver en systematisk forskningsansats för att hitta lösningar. I så fall kan du kontakta oss för att hjälpa dig genom att definiera ett studentforskningsprojekt. Vår student har olika teoretiska kunskaper inom säkerhetsområdet som kan hjälpa din organisation med tekniska, administrativa och praktiska frågor. Vi förväntar oss att våra studenter får stöd från företaget genom att tillhandahålla lämpliga förutsättningar för att samla in och analysera data. PICS-forskargruppen ska säkerställa att vetenskapligt stöd ges med erfarna handledare. Exjobben tar vanligtvis 4-5 månader och startar i januari.
För mer information, tveka inte att kontakta programkoordinatorer för MSc in PICS:
- Ali Padyab (ali.padyab@his.se)
- Joakim Kävrestad (joakim.kavrestad@his.se)
PICS Collaboration for Masters thesis (in English)
The PICS research group is looking for companies who areinterested in offering projects to our master students. Supposeyour company has challenges within the field of privacy, information security, and cybersecurity that require a systematic research approach to find solutions. In that case, you can contact us to help you by defining a student research project. Our student has various theoretical knowledge withinthe field of security that could help your organization withtechnical, administrative, and practical issues. We expect thatour students get support from the company by providingsuitable conditions to collect and analyze the data. The PICS research group will ensure that scientific support is providedwith experienced supervisors. The student's project usually takes 4-5 months and starts in January.
For more information, don't hesitate to get in touch withprogram coordinators of MSc in PICS:
- Ali Padyab (ali.padyab@his.se)
- Martin Lundgren (martin.lundgren@his.se)
Contact PICS Seminars
If you want to suggest a speaker, give a talk, or ask a question, please write to pics-seminars@his.se. Additional seminar slots may be made available. Information needed from speakers: Title, Abstract, and Brief bio. (Title at least 4 weeks in advance, or when booked. Abstract and bio at least two weeks in advance.)
Normally, PICS Seminars are on Thursdays, 13:00 - 14:00, and are held in English for a wider audience. The standard format is a 45 min presentation, followed by a 15 min questions/discussion. Presentation in English if possible. Questions may be asked in Swedish if desired.
Information about seminars will be placed on the web site and emailed to PICS WG, PICS Platform, PICS students (PICS site on canvas), and IIT researchers. If desired, posted to IIT or HS news/calendar.
This web page may be bookmarked as his.se/en/pics-seminars.
Past PICS Seminars 2024
Date: 22 Feb 2024 - Postponed to 13 Jun 2024
Date: 21 Mar 2024
Title: Generative AI and Cyber Security
Speaker: Christoffer Brax, Combitech
Abstract: In the last few years, the landscape of artificial intelligence has been significantly reshaped by the advent of generative AI. This talk aims to dissect the remarkable advancements in generative AI technologies, particularly focusing on their applications and implications within the domain of cybersecurity.
The discussion will pivot to how these generative models have been employed to enhance cybersecurity measures and development of more robust intrusion detection systems. Conversely, we will also explore the darker facet of these advancements: the proliferation of AI-generated phishing attacks, the emergence of more convincing deepfakes, and their subsequent challenges to digital forensics.
Finally, we will offer insights into the future trajectory of generative AI in cybersecurity.
Bio: Dr Christoffer Brax is working at Combitech AB as a AI Systems Architect and Cyber Security Consultant. Christoffer has over 20 years of experience building security critial IT-systems for civilian and military applications. Christoffer also works as a senior researcher in research projects togheter with the Univeristy of Skövde and other reserch institutions in Sweden. His research interests are cyber security, artificial intelligence and open-source software.
Past PICS Seminars 2023
Date: 23 February 2023
Title: On Security of Intelligent Infrastructures
Speaker: Raimundas Matulevicius
Bio: Raimundas Matulevičius received the Ph.D. degree in computer and information science from the Norwegian University of Science and Technology in 2005. Currently he holds a Professor of information security position at the University of Tartu, Estonia. His research interests include information security and privacy, security risk management, security and privacy by design and model-driven security in the intelligent infrastructure, blockchain and information systems. He has been involved in the SPARTA H2020 project, Erasmus+ Strategic Partnership programs CyberPhish, BlockNet and BLISS. Currently, Matulevičius is the principal researcher in CHESS (EU Horizon Europe) and CHAISE (Erasmus+ Sector Skills Alliances program) projects. Matulevičius is the lead of the Information Security Research Group (https://infosec.cs.ut.ee/).
Abstract: Intelligent Infrastructure (II) systems are complex socio-technical systems enabled by interconnected applications of the Internet of Things (IoT). Nowadays, many companies are transforming their operations towards the usage of II systems. Thus, it is important to explain how to protect them. In this talk we will discuss how to secure II using security- and privacy-by-design principles. A special attention will be placed on cooperative intelligent transport systems and services. SLIDES 2023-02-23 (pdf)
Date: 22 March 2023
Title: It works for someone, but not for me: The ongoing challenge of usable security
Speaker: Steven Furnell, UK
Bio: Steven Furnell is a professor of cyber security at the University of Nottingham. He is also an Honorary Professor with Nelson Mandela University in South Africa and an Adjunct Professor with Edith Cowan University in Western Australia. His research interests include usability of security and privacy, security management and culture, and technologies for user authentication and intrusion detection. He has authored over 360 papers in refereed international journals and conference proceedings, as well as various books, book chapters, and industry reports. Prof. Furnell is the UK representative to Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a board member of the Chartered Institute of Information Security.
Abstract: Whether we like it or not, cyber security is now an important aspect of the end-user experience in various IT and online scenarios. However, the way in which it is encountered is often fraught with issues. Relevant features may exist, but users can find themselves unaware of them, unable to understand them, or unable to achieve the level of control that they expect. As a result, users can end up feeling that they are the victims of cybersecurity rather than the beneficiaries. Through past and present examples, this presentation will consider the different elements of usability that ought to be addressed, and some of the apparent problems of doing so in practice. The resulting risk is that even though protection measures are available, the protection itself is not achieved and users are blamed for being the weak link in a situation where they were arguably set up to fail. SLIDES 2023-03-22 (pdf)
Date: 13 April 2023
Title: Enterprise Modeling for Critical Infrastructure Operators
Speaker: Manfred Jeusfeld
Bio: Manfred Jeusfeld studied computer science (minor Operations Research)
from 1980 to 1986 at the University of Technology Aachen (RWTH),
Germany. After getting his Diploma degree, he moved to University of
Passau, Germany. He worked on development support for database
applications and on foundations of deductive & object-oriented
databases. In 1992 he received his Doctoral degree in Natural Sciences
from the University of Passau, Germany. He is the principal developer of
the ConceptBase system, which is now used by several hundreds institutes
and companies world-wide for designing information systems and meta
modeling. In 2013 he joined the department of information technology,
University of Skövde, Sweden, as senior lecturer, and was promoted to
professor of informatics in April 2018. His research covers cooperative
conceptual modeling, data warehouse quality management, meta modeling,
and cyber security.
Dr. Jeusfeld has published more than 35 journal articles (Information
Systems, DSS, JIIS, SoSYM etc.) and numerous conference articles. He is
area editor for the Requirements Engineering Journal. He was co-PC-chair
of KRDB-94 to KRDB-97, DMDW-99, DMDW-2000, DMDW-2001, DMDW-2003,
ER-2011, and PoEM-2016. He is or has been reviewer for international
journals like ACM TOIS, REJ, SoSYM, and conferences including ICIS,
ECIS, VLDB, CAiSE, ER and others. He is also the founder of CEUR
Workshop Proceedings, a publication service for open-access proceedings
of scientific workshops and conferences.
Abstract: Critical infrastructure operators such as power grid enterprises are a
target of advanced cyber attacks by criminal and antagonistic state
agencies. The EU project ELVIRA (2017-2020) developed a toolset for such
enterprises to evaluate their vulnerability and to assess the potential
damage of cyber attacks in terms of efficiency loss. In this talk, we
focus on the problem on how to represent the assets of the enterprise
and how to compute metrics such as criticality of assets. The tool has
been developed at the university of Skövde and is currently
commercialized in collaboration with Norgald AB. If time permits, we
will demonstrate the enterprise modeling capabilities of our solution. SLIDES 2023-04-13 (pdf)
Date: 19 April 2023
Title: Threat Intelligence Modeling using Graphs / guest lecture
Speaker: Ashish Kundu
Bio: Dr. Ashish Kundu is currently at Cisco Research as its Head of Cybersecurity Research. He is a distinguished scientist, a leader in the area of Security, Privacy, Compliance. He worked as Research Staff Member at IBM T J Watson Research Center. He has led security, privacy and compliance of self-driving cars, tele-operated driving at Nuro as its Head of Cybersecurity. His research has led to more than 160 patents filed with more than 150 patents granted, and more than 50 research papers. He is an ACM Distinguished Member, and has also been an ACM Distinguished Speaker. He has been honored with the prestigious Master Inventor recognition multiple times by IBM Research. Dr. Kundu received his Ph.D. in Cybersecurity from Purdue University in 2010 and his doctoral research at Purdue University received the prestigious CERIAS Diamond Award for outstanding contributions to cybersecurity.
Abstract: Security attacks form a system of specific flow of computation and data by one or multiple threats. Attacks follow a set of steps in a sequence. Threats work together as threat groups. Holistic 360-degree defenses against APTs often interconnect multiple threat intelligence computation and defense mechanisms. Each of these processes have a graph structure inherent to their execution. Graphs can be used to model spatio-temporal dimensions and flows of different facets of security as well as privacy. In our previous work, we have explored use of graphs and hyper graphs for threat, attack as well as defense modeling. Moreover, we have also explored using modeling threat intelligence as a system of graphs and using graph analytics and graph deep learning in order to predict, infer, extract features and information for assuring holistic security. Such work has been developed in the context of autonomous cars, AI, cloud and edge computing. In this talk, we will also explore how to use NLP and NLU on how to automatically construct such graph models for specific systems under protection/attack.
Date: 11 May 2023
Title: Skaraborgs Hälsoteknikcentrum (SHC) Skaraborgs Health Technology Center
Speaker: Catharina Gillsjö
Bio: Catharina Gillsjö, PhD, FNP, RN and Associated professor in nursing. CG is an educator and researcher with a specialty in gerontology and geriatrics. Her research is in the area of health and wellbeing of older adults living with health problems and provision and organization of health and social care as well as the need and use of sustainable and digital solutions in the context. Her research contributed to the development of the method Reflective STRENGTH-giving dialogue (STRENGTH) and the digital tool selfSTRENGTH. The research also led to development of the digital application WHEdcapp to evaluate sense of home, wellbeing, safety and loneliness. In addition, CG’s research encompasses the transition of health care to close care, need and use of digital solutions, health and social care and an education intervention with simulation in age-suit. She is the project leader for Skaraborg Health Technology Center (SHC), a collaboration arena, knowledge center and testbed for companies, public health sector, organizations, academia and society at large. Innovation, research and education oriented towards aging, older adults, technology and provision of care are central in her work in aim to contribute to evidence based technology, health and social care.
Abstract: In today’s provision of health and social care, there is a challenge for stakeholders to uphold quality care. In addition, there is an ongoing transition of health care from hospital to home which involves an increase of digital solutions in person’s home. Furthermore, there is the demographic issue with lack of workforce in relation to persons in need of care. The policy to remain at home results in more advanced health care at home for the increasing number of older adults with multiple health problems, extensive and complex needs of care. Skaraborg Health Technology Center (SHC) at University of Skövde is a collaboration arena, knowledge center and test bed for cross-team collaboration between the business and public sector, the academy, organizations, civil society and other actors focusing on innovation, research and education. The SHC collaboration arena consists of a space for innovation and an accessibility adapted apartment equipped with technology. The arena houses technical infrastructure supporting various activities such as development and testing of products, services and methods focusing on smart/intelligent, safe and secure solutions to preserve integrity and promote autonomy, safety, health and well-being within the target group, currently mainly older persons. Another focal area is a high quality, evidence-based and cost-effective technology, health and social care. SHC is contacted by external actors mainly for study visits, simulation in age suit, workshops, development projects, research and education. Collaboration partners participating in activities in SHC are companies, municipalities, academy, members in retirement organizations, the Aid Center in the Western Region and society at large. Activities and projects are conducted in collaboration with internal and external actors. Initially in this seminar, the SHC and ongoing activities will be presented. An open discussion will follow to identify ways to extend collaboration involving use of SHC as an environment for innovation, research and education in the area of PICS and Health Sciences. SLIDES 2023-05-11 (pdf)
Date: 15 June 2023
Title: PICS Master final presentation science slam
Moderator: Ali Padyab/Martin Lundgren
Content: Some PICS master students gave short presentations of their PICS Master thesis work, reflecting mainly on their aim and results in a science slam manner.
Date: 14 September 2023
Title: Cybercrime study
Speaker: Ali Padyab
Bio: Ali Padyab is an associate professor (Docent) of cybersecurity at the School of Informatics, University of Skövde. His research focuses on cybersecurity threats targeting organizations and individuals. His doctoral thesis explored how individuals’ privacy attitudes concerning the secondary use of information are formed and how secondary use impacts individuals’ privacy. He has designed a novel risk assessment method to help organizations address cybersecurity threats and vulnerabilities. He has been involved in various projects focusing on developing privacy-enhancing technologies (PETs) to enhance individual privacy. His other line of research concentrates on IoT privacy, information security management, cloud risk management, the challenges of managing information security when teleworking, and cyber threat intelligence aided by artificial intelligence. He is currently involved in a research project investigating cybercrime’s socio-economic and technological determinants funded by VR.
Abstract: trengthening public security and protecting institutions are crucial to society and of great concern to the Swedish government. Given an increased use of internet in daily life,which is positive per se, the negative impacts of cyber threats on people’s integrity and economic consequences are inevitable. While good preventive strategies should target particular risk groups for various types of cybercrime, yet research on the risk factors of cybercrime is insufficient. Understanding the risk factors of susceptibility to cybercrime and the context in which cybercrime occurs would offer a way to exploit preventive strategies for the most effective outcomes. In this seminar, Ali Padyab will talk about the complexity of cybercrimes and present a recent VR funded project on risk factors for three main elements of cybercrime: offenders, victims and the Information Technology(IT) environment.
Date: 12 October 2023
Title: Lock-in effects and security: Data sovereignty through avoiding
data processing of digital assets under unknown conditions
Speaker: Prof Björn Lundell, School of Informatics, University of Skövde
Bio: Professor Björn Lundell (Ph.D.) leder forskningen inom forskningsgruppen Software Systems Research Group vid Högskolan i Skövde och har lett samt medverkat i flera forskningsprojekt i samverkan med ett stort antal internationella och nationella organisationer. Under flera decennier har forskningen adresserat olika typer av inlåsningseffekter, interoperabilitet och långa livscykler för system. Forskningen behandlar olika aspekter av anskaffning, utveckling och nyttjande av programvarusystem, men speciellt fokus på öppen programvara och öppna standarder.
Utöver resultat som publicerats i vetenskapliga fora har Prof. Lundell även genomfört utredningar på uppdrag av Statens inköpscentral vid Kammarkollegiet, Myndigheten för digital förvaltning (DIGG) och Konkurrensverket. Under 2022 redovisades även en rapport till Regeringskansliet som analyserat EU:s datastrategi (på uppdrag av Vinnova).
Date: 24 October 2023
Information Security Day 2023 Where: Only on campus; mostly in Swedish
The Information Security Day has been arranged at the University of Skövde annually since 2017 and draws attention to PICS areas.
More information about program and registration, see Information Security Day.
Date: 9 November 2023
Title: Cyber Safety in the Automotive Sector
Speakers: Dr Henric Rhedin, Director External Research & Exploration Coordination, Volvo Cars AB and MSc Charlotta Ahlberg, Expert Strategist, Exploration and Research, Volvo Cars
Bio: Dr Henric Rhedin is working at Volvo Cars AB with initiation and coordination of external research and exploration. The assignment include early stage research program establishment in areas such as digitalization, electrification, safety, and sustainability but also intellectual property dimensions across all areas. Before joining Volvo Cars he has been working with research and innovation in a number of disciplines and in various roles both in academia and industry. Henric has been a board member of several Swedish and international companies and organizations over the last 10 years. He is former President and Vice President Policy of ASTP, Europe’s knowledge exchange organization.
MSc Charlotta Ahlberg has more than 20 years experience of Product- and Corporate Innovation at Volvo Cars, she has a background of Master of Science degree within Technical Design and with the user in focus she has led 10 production car Projects. Charlotta also was UX responsible for the world-wide known Concept Car YCC, “the car made by Women for people”. Today she is responsible for strategic partnerships, driving transformation and complex investigations for implementation.
Abstract: The automotive sector delivers one of the most complex technical product in the history of mankind to be used all over the world by people with all types of background, skills, and knowledge. In the digitalization era this presents a wide variety of challenges when it comes to security from all perspectives in particular cyber security. The implications on society including research, education, and norm still remains mainly unknown but needs to be addressed in an ever increasing pace.
Date: 7 December 2023
Title: Neuroprivacy
Speaker: Oskar MacGregor
Abstract: "Neuroprivacy" can mean different things. The concept ranges over both "the neuro of privacy" (e.g. studying the brain states of private vs. non-private social interactions) as well as "the privacy of neuro" (e.g. keeping people’s neurological data secure). The latter - the privacy of neuro - can be further subdivided into two constituent components: the aforementioned neurodata security domain, but also the potential use of neuroscientific findings to reveal intimate secrets, or even manipulate human behavior. This final subdomain - utilizing neurotechnology to, for instance, surreptitiously steal a person's PIN code without their knowledge - has captured the public imagination, with no shortage of concerns presaging an impending end to all privacy. But does reality live up to the hype? In this seminar, Oskar will look at what neurotechnology today is actually capable of, in order to establish just how much of a threat to privacy it really is.
Bio: Oskar MacGregor, Senior Lecturer in Cognitive Neuroscience at the University of Skövde, has a multidisciplinary background. He spent his first decade at university diving into philosophy, with his academic degrees focusing to a large extent on various constraints to philosophical argumentation and reasoning (due to e.g. human psychological biases), mostly within the topics of ethics and privacy. Following this, his second decade delved into cognitive neuroscience, with a particular emphasis on research methods and research ethics, primarily as applied within the electrophysiology of emotion. For his upcoming third decade, he is about to embark on a more sustained critical look at topics relating to - among other things - today's focus: neuroprivacy (in addition to AI ethics, human aspects of cybersecurity, etc.), as he takes up the role of Senior Lecturer in Informatics, also in Skövde, from January 2024.
Past PICS Seminars 2022
Date: 10 February 2022
Title: A CISO's challenges as a SaaS (Software as a Service) provider (En CISOs betraktelser från att ena dagen vara i kommunal verksamhet och nästa dag vara en molntjänstleverantör)
Speaker: Per Gustavsson, Chief Information Security Officer, Stratsys
Date: 10 March 2022
Title: Systematiskt riskanalysarbete för försvar och samhällsviktig verksamhet
Speaker: Joakim Strandqvist, Consultant Risk management and Public safety at Afry
Abstract: Föredraget handlar om Afrys strukturerade arbete med riskanalyser/säkerhetsskyddsanalyser hos myndigheter och offentlig verksamhet som Försvarsmakten, FMV och Kommuner
Language: Swedish
Date: 21 April 2022
Title: From Whole, to Part, to Participation – Integrating risk and controls in organisations
Speaker: Karl Sandstrom, PhD; GRC Product Growth Manager; Stratsys AB
Brief bio: Dr Karl Sandstrom has a background both working and researching risk and controls with a particular affinity for high risk environments and ‘change-resistant’ organisations. Having observed and experienced organisational challenges from boardroom to field site and London to Sanaa, he firmly believes the principal methodological and organisational challenges are the same even though the context and available excuses for poor practice change. His core interest revolves around the operationalisation and integration of risk awareness and management into routines, and between the reported and observable reality of an organisations exposure.
Abstract: Risk, controls, and compliance are challenging tasks for many organisations, with a particular painpoint being optimization and ‘bringing it all together’. It often results in silos, islands of control, empty checklists and, to be honest, quite a lot of wishful thinking. The lack of consolidated view and understanding both of the risks and the mitigations can have disastrous or just extremely costly consequences. We hypothesize that by approaching the subject from the foundation of organisational needs (the Whole), running it through specialist workflows where necessary (the Parts), and developing operations-sensitive solutions to mitigation (Participation), an integrated and more streamlined way of working is possible and provides a relevant and more complete overview picture. The objective should be maximum assurance at the top, with the minimum (unnecessary) administrative load at the ‘tip of the spear’. In this seminar we will thread this through the lens of organisational interests; Information security as a specialist field; and operationalisation.
Date: 12 May 2022
Title: Cyberpsychology, Cybersecurity and Risk - How are they Connected?
Speaker: Robert Willborg, Chief Information Security Officer and data protection manager at Junglemap (LinkedIn)
Brief bio: Robert is Chief Information Security Officer and data protection manager at Junglemap. He is a member on a number of board of experts such as Aktuell Säkerhet's expert grouping and also the Althinget's cyber security grouping, which acts as the Swedish Parliament advisory body. Robert is frequent a debater in security media and researches in his spare time about online fraud.
Abstract: The session will be about the importance of cyber psychology in cyber security. The session will focus on the individual aspect, not technology, in order to achieve organizational effect around the strategic work with cyber security and awareness. Humans are a risk factor, which has been proven again and again in many known incidents, but is forgotten when we talk about patching and backing up the digital infrastructure. The session will also focus on how to build human firewalls and give the audience the added value of challenging the traditional thinking around cybersecurity.
Date: 9 June 2022
Title: Interoperable EU Risk Management Framework - Methodology for and assessment of interoperability among risk management frameworks and methodologies
Speaker: Professor Sokratis Katsikas, NTNU
Abstract: This report proposes a methodology for assessing the potential interoperability of risk management (RM) frameworks and methodologies and presents related results. The methodology used to evaluate interoperability stemmed from extensive research of the literature, resulting in the use of certain RM framework features which were singled out for this purpose. These features, which were identified as relevant for the assessment of interoperability, are thoroughly described and analysed for each framework/methodology. More specifically, for certain functional features we make use of a four-level scale to evaluate the interoperability level for each method and each set of combined features. SLIDES 2022-06-06 (pdf)
Date: 5 September 2022
Event: Dissertation Defense
Speaker: Yuning Jiang, University of Skövde
Info: On September 5 at 13-17, one of our PhD students, Yuning Jiang, in the PICS centre will defend her thesis If you have the opportunity to participate, you are welcome. A link to more information about the defense as well as a link to the thesis can be found below.
https://his.diva-portal.org/smash/get/diva2:1680358/FULLTEXT05.pdf
Date: 15 September 2022
Title: (Re)think risk - Some challenges and insights from studies and practice on information security risk management
Speaker: Martin Lundgren, University of Skövde
Bio: Martin Lundgren holds a doctorate in Information Systems from Luleå University of Technology, Sweden. He received his bachelor’s degree in Informatics from the University of Gothenburg, Sweden in 2012, and his master’s degree in Information Security from Luleå University of Technology in 2014. His research focus lies on Information Security and Risk Management from a socio-organizational perspective.
Abstract: Risk management is often seen as a – if not the – corner stone of many structured approaches to information security. Over the years, numerous processes and methods have been developed to guide how a just assessment of risks within the organization can be conducted. But, what are risks and can they really be assessed justly? Is compliance with risk management processes and methods synonymous with good security? And, who is a risk manager anyway, or is it a job reserved only for security experts? This presentation is about some of these challenges and insights gained through research and practice alike.
Date: 5 October 2022
Event: Information Security Day
Info: Link below to this year's Information Security Day (mostly in Swedish)
Theme: Informationssäkerhet/cybersäkerhet och det civila samhället
Registration: Follow the link:
https://www.his.se/mot-hogskolan/samarbeta-med-oss/pics-center/informationssakerhetsdagen/
Date: 13 October 2022
Title: A way to meet regulatory compliance and standards requirements over time
Speaker: Martin Brodin, Actea Consulting AB
Bio: Martin Brodin works as a consultant in information security at Actea Consulting AB, where he is also IT manager and chief security officer. He also has a doctorate from the University of Skövde.
Abstract: Today there are many laws and regulations that companies need to keep track of and ensure that they comply with. One way to do it is by following a simple model that is based on both research and experience from many organisations. Martin will present how he has worked with the model in various organisations and what was the basis for its development.
Date: 17 October 2022, 13:00 Where: ASSAR + Zoom
Event: Thesis Defense
Speaker: Joakim Kävrestad, University of Skövde
Contact: Marcus Nohlberg
Title: Context-Based Micro-Training Enhancing cybersecurity training for end-users
Abstract: This research addresses the human aspect of cybersecurity by developing a method for cybersecurity training of end-users. The reason for addressing that area is that human behaviour is widely regarded as one of the most used attack vectors. Exploiting human behaviour through various social engineering techniques, password guessing, and more is a common practice for attackers. Reports even suggest that human behaviour is exploited in 95% of all cybersecurity attacks.
Human behaviour with regard to cybersecurity has been long discussed in the research. It is commonly suggested that users need support to behave securely. Training is often suggested as the way to improve user behaviour, and there are several different training methods available. The available training methods include instructor-led training, game-based training, eLearning, etc. However, even with the diversity of existing training methods, the effectiveness of such training has been questioned by recent research. Research suggests that existing
training does not facilitate knowledge retention and user participation to a high enough degree.
This research aims to address the problems with current training practices by developing a new method for cybersecurity training of end-users. The research used a design science (DS) approach to develop the new method in three increasingly complex design cycles. Principles for cybersecurity training were developed based on previous research and the Technology Acceptance Model and made the theoretical foundation of the reserach. The result is a theoretically grounded method for cybersecurity training that outlines goals and guidelines for how such training should be implemented. It has been evaluated in several steps with more than 1800 survey participants and 300 participants in various experiments. The evaluations have shown that it can both support users towards secure behaviour and be appreciated by its users.
The main contribution of this research is the method for cybersecurity training, Context-Based Micro-Training (CBMT). CBMT is a theoretical contribution that describes good practices for cybersecurity training for end-users. Practitioners can adopt it as a guide on how to implement such training or to support procurement decisions. The research also shows the importance of integrating usability into the development of security practices. Users must positively receive both training and the guidelines imposed by training since positive user perception increases user adoption. Finally, the research shows that following security guidelines is difficult. While training is essential, this research suggests that training alone is not enough, and future research should consider the interplay between training and other support mechanisms.
Date: 17 November 2022, 13:00-14:00 Where: Zoom
Title: From Campus to Bootcamp and Back – Activities in Cyber-Security Education
Speaker: Gunnar Karlsson, KTH Center for Cyber Defense and Information Security
Brief bio: Gunnar Karlsson is professor at KTH Royal Institute of Technology, since 1998. He has previously worked for IBM Zurich Research Laboratory and the Swedish Institute of Computer Science (now part of RISE). His Ph.D. is from Columbia University, New York. His research relates to mobile communication and quality of service. He received the KTH Pedagogic Prize in 2015, and is a founding member of KTH CDIS and the national initiative Cybercampus Sweden for cybersecurity education, research and innovation.
Abstract: In this talk, I will give a brief overview of the contract education that KTH provides for training Swedish cybersoldiers and officers. The talk will also give an overview of possibilities for continuous education in cyber security and of the preliminary plans for education in the national Cybercampus Sweden. SLIDES 2022-11-17 (pdf)
Language: English
Date: 13 December 2022, 13:00-14:00 Where: Zoom
Title: Data protection in practice and Data Protection Forum
Speaker: Mattias Gotthold, vice chairman of the Data Protection Forum (https://dpforum.se/)
Bio: Mattias Gotthold is a lawyer with solid experience in data protection. He is legal advisor at the Data Law CenterIn and vice chairman of the Data Protection Forum.
Abstract: Presentation related to following questions: What is happening around data protection work in general from a national perspective? What are the challenges today when we have a few years behind us with GDPR? What are organizations still struggling with? What possibilities has the introduction of GDPR strengthened the privacy of the individual. There will also be a presentation of the national network for Data Protection Officers (DPO), the Data Protection Forum. SLIDES 2022-12-13 (pdf)
Past PICS Seminars 2021
Date: 25 February 2021, 13:00-14:00
Title: CHANGING USERS CYBER SECURITY BEHAVIOUR: The development of a method for end-user cybersecurity training
Speaker: Research proposal/planning seminar of Joakim Kävrestad. Discussion Leader: Joeri van Laere
Abstract: The world is becoming ever more digitalised, and we now rely on digital services in our work, as well as in your private lives. As a consequence, the need for cybersecurity is also increasing and is now a necessity for organizations and individuals alike. Insecure user behaviour is one of the major reasons for cybersecurity incidents and the need for assisting users towards security behaviour imperative. The most common suggestion for how to assist users to behave more securely is through training. There are, however, several different approaches for cybersecurity training available, and they have been available for quite some time suggesting that current practices does not work. This research proposal suggests continued research into the domain of cybersecurity training. The aim of the proposed project is to use a design science approach to develop and evaluate a method for cybersecurity training, it will thereby contribute to improving cybersecurity behaviour of end-users.
March
Date: 25 March 2021, 13:00-14:00 Where: Zoom
Title: Using external IT services from the aspects of technology, suitability, legality, and total defense
Speaker: Daniel Melin, a Cloud and Datacenter strategist at the Swedish Tax Agency (Skatteverket)
Brief bio: Daniel Melin works at the Swedish Tax Agency with strategies regarding cloud computing, datacenters and governmental IT. Daniel has previously worked as a procurement officer at Kammarkollegiet and as a IT consultant.
Abstract: Daniel will describe the problem facing authorities wanting to use external IT services from the aspects of technology, suitability, legality, and total defense. SLIDES 2021-03-25 (pdf)
April
Date: 29 April 2021, 13:00-13:45 Where: Zoom
Title: Data – a strategic resource in a smart city
Speaker: Dan Folkesson, CDO Intraservice, City of Gothenburg
Abstract: Dan will talk about why data is the single biggest enabler in a smart city. He will give examples of digital initiatives in the City of Gothenburg and how these help the city to be a smart and sustainable city.
Brief bio: Dan Folkesson is Chief Digital Officer at Intraservice in the City of Gothenburg. His focus is on empowering business development through new smart digital solutions, so the city can be sustainable and open to the world.
Previously he held various leading IT positions in the private sector at Länsförsäkringar, the largest Insurance and Banking company in Sweden. SLIDES 2021-04-29 (pdf)
May
Date: 6 May 2021, 13:00-14:00 Where: Zoom
Title: Cybersecurity in research and innovation
Talk 1: The Swedish innovation node for cybersecurity - purpose and status (Martin Bergling, Node Coordinator)
Talk 2: Cybersecurity at RISE (Shahid Raza, Director, RISE Cybersecurity)
Brief bios: Shahid Raza is the Director of Cybersecurity unit at RISE, where he has been working since 2008. Shahid is also an Associate Professor (Docent) in Uppsala University Sweden. Shahid’s research interests include but are not limited to security and privacy in IoT, secure interconnection of clouds and IoT, and threat intelligence at the edge of IoT.
Martin Bergling is currently leading the work of building a Swedish innovation node specializing in cyber security. Martin has worked with IT and information security in various roles and industries since 1988. A special interest is quantitative risk analysis.
Abstract: The Swedish innovation node for cybersecurity
The innovation node is a result of the Swedish government's planning in 2015. It was then observed that the cyber security industry was diversified and that there was a need for collaboration platforms between different parties in Sweden, both in business and in the public sector.
Today, the node has 70 members and new members are added every week. A website has been established - cybernode.se - where detailed information about the node's activities is provided on the member pages. One of these is the "security profiling" with the help of which a competence database will be built up.
Four working groups are established: “Security needs”, Security in IoT, Risk Analysis Methods, and Security in 5G. A node organization with a steering group and reference group is working, and during 2021-22 more working groups are planned, e.g. in AI, SCADA, security arcitecture and privacy. Other issues concern the industry's lack of competence, a Nordic security network and work to influence policy and regulations in the area. SLIDES 2021-05-06 (pdf)
Abstract: Cybersecurity at RISE
RISE Research Institute of Sweden is a Swedish Government research institute established as a merger of Swedish ICT (SICS, Acreo, Interactive Institute, Viktoria), Innventia, SP, and part of Swerea. RISE has around 3000 employees and it controls or is a part of ~60% of Swedish test and demo facilities. RISE Cybersecurity is among the largest cybersecurity research groups in Sweden consisting of 21 technical cybersecurity experts. This talk will cover our cybersecurity research and development activities. It will highlight new national and EU cybersecurity initiatives including RISE Cyber Range, a state-of-the-art cybersecurity test and demo arena in Kista.
May
Date: Wednesday, 26 May 2021, 13:00-14:00 Where: Zoom
Title: Regional Security: Reality, Challenges and Requirements (presented in Swedish)
Speaker: Robert Sörqvist - Security Operations Center (SOC), Västra Götalands Regionen
Abstract: Presentation VGR-VGR IT- Säkerhet SOC. SLIDES 2021-05-26 (pdf)
June
Date: 16 June 2021, 11:00-12:00 (Note the day and time!) Where: Zoom
Title: Creating a Framework for Security in Radio-Based ICT Systems
Speaker: Research proposal/planning seminar of Marcus Dansarie (Marcus is a joint PhD-student between HiS and FHS.)
Discussion Leader: Professor Yacine Atif
Abstract: Past research concerning the security of ICT systems has primarily considered physical networks. However, there exists a large class of ICT systems that are primarily radio-based. Since they use radio waves for communication, all radio-based ICT systems share a common physical layer that is accessible to anyone within range. This brings with it many security challenges in addition to those present in all ICT systems. Furthermore, many specialized radio-based ICT systems were originally designed and built before the emergence of modern cybersecurity and have come to evolve from simple radio systems into full-fledged digital communications networks. Historically, the need for specialized radio equipment has set a relatively high bar for entry into studying the security of these systems. The bar has become significantly lower as software defined radio (SDR) technology has developed in the past decade.
Researchers have found vulnerabilities in radio-based ICT systems used in, among others, the civil aviation, shipping, rail transport, public security, and military sectors. Despite vulnerabilities in a broad range of radio-based ICT systems, there appears to be no research into common causes of the deficiencies or why the organizations that use them seem to do very little to improve security. The aim of the proposed project is to improve the understanding of security in radio-based systems. Ultimately, the goal is to develop a framework that can aid in helping organizations improve the security of their radio-based ICT systems.
September
Date: 16 September 2021, 13:00-14:00 Where: Zoom
Comment: Seminar replaced by the new professors’ talks
Details:
There are 4 new IIT professors. Yacine Atif (at 9:40), Henrik Engström (at 10:15), Nikolaos Kourentzes (at 13:00-13:35, during our seminar time), and Lars Bröndum (at 14:10).
https://www.his.se/mot-hogskolan/aktiviteter/kalender/2021/installationsforelasning-2021
October
Date: 5 October 2021, 13:00-14:00 Where: Zoom
Title: Informationssäkerhetsdagen 2021 – Högskolan i Skövde (his.se)
Register here:
https://www.his.se/mot-hogskolan/aktiviteter/kalender/2021/informationssakerhetsdagen-2021/
Date: 14 October 2021, 13:00-14:00 Where: Zoom
Title: The fraudster, the user, or the CSO, who’s to blame for user misbehavior?
Speaker: Joakim Kävrestad
Abstract: A well-known security challenge in modern IT is user behavior. Not only is user behavior the root cause of many (most?!) incidents. As IT professionals we explicitly or implicitly expect the users to also be the fix. This talk takes a critical stance on how this problem is handled today and invites a discussion around what expectations can be put on users and why. The presenter is currently a research student with experience in both research and practice in this area. The talk is experience based and will discuss problems with current practice and suggestions for what we are to do instead.
November
Date: 18 November 2021, 13:00-14:00 Where: Zoom. Note: Change of program
Title: ContextBased MicroTraining: A method for implementation of cybersecurity training for end-users
Speaker: Joakim Kävrestad (Thesis Proposal)
Discussion Leader: Ella Kolkowska, Örebro Universitet
Abstract: Over the past decades, society has evolved to become more and more digital, and digital development continues. The result is that users are spending a lot of time online in their personal and professional lives. This digital era enables near-instant communication worldwide, before unprecedented access to a myriad of services and near unlimited access to recreational activities. However, the expansion of the digital era also presents risks as various criminals use it for ill-doing. One example would be a criminal group seeking to make money by stealing proprietary information from an organization. Another example is state-supported actors seeking to access systems in foreign states to steal intellectual property or, even worse, destabilize that state by compromise of critical societal infrastructure and services.
As such, digital services must be secure enough to withstand attacks. Cybersecurity intends to safeguard systems by use of functions and procedures. Cybersecurity has traditionally focused on technical countermeasures such as firewalls, anti-virus programs, and more. While those systems are critical in the defense against the dark arts, they are not enough. Research and examples of attacks in recent years make it evident that attackers attempt to bypass technical security by exploiting human behavior. This includes phishing, where users are persuaded into clicking malicious links or downloading malicious e-mail attachments, attempts to getting hold of user passwords, and more. Indeed, recent reports suggest that insecure user behavior is a root cause of many, if not most, cybersecurity incidents.
User behavior regarding cybersecurity is a crucial part of cybersecurity, and the need to support users towards secure behavior is obvious. The solution to this dilemma, as presented in research and applied in practice, is to provide the user with training. Yet, research suggests that current training methods are not effective enough, which is further demonstrated by the continuous reports of attacks utilizing insecure user behavior. This project aims to research the domain of cybersecurity training with the aim of developing a method for implementation of effective cybersecurity training for end-users. It uses a design science research methodology where a method is developed and evaluated in three design cycles. The expected result is a method that can guide implementation of cybersecurity training for end-users that has been evaluated in different studies, including over 2100 participants in surveys and experiments.
The project further seeks to provide theoretical contributions to the field of human aspects of cybersecurity, and the tentative key contributions are: First, while users are interested in being secure, security is often not a top priority. Tool and guidelines should therefore minimize the effort the user needs to put into following them. Users are likely to neglect or find workarounds for security tools and guidelines that require too much effort. Second, presenting training to users in a situation where the training is of direct relevance is beneficial for promoting secure behavior. It makes the provided information more meaningful and acts as an awareness increasing mechanism. Third, while training is important in promoting secure behavior, the guidelines presented by the training should also be considered through a usability lens to ensure that they are, in themselves, usable.
December
Date: 9 December 2021, 13:00-14:00 Where: Zoom. Note: Date
Title: Death, Taxes and Socio-Technical Gaps
Speaker: Stewart Kowalski
Abstract: In this presentation Professor Kowalski frames the problem of privacy, information security and cybersecurity in the world today as a socio-technical regime transition problem and proposed a vision of a Swedish Hybrid Cyber Range with PICS to help research, educate and innovate a more secure and sustainable transition for Sweden.
Research Institutes of Sweden
RISE SICS Cybersecurity
Visiting Researcher
Isafjordsgatan 22, 164 40 Kista
stewart.james.kowalski@ri.se
Visiting Professor
Privacy Information and Cyber Security Center
https://www.his.se/en/about-us/samarbeta-med-oss/pics-center/
School of Informatics
University of Skövde
stewart.kowalski@his.se
Stewart Kowalski
Professor Information Security
Norwegian Cyber Range
https://www.ntnu.no/ncr
Norwegian University of Science and Technology
https://www.ntnu.edu/employees/stewart.kowalski
stewart.kowalski@ntnu.no
+46-73 521 2486
+47-954 34 212
Past PICS Seminars 2020
February
Date: 18 February 2020, 11.00-12.00 Place: University of Skövde Room: Portalen, Utsikten
Title: The concept of privacy related to personal information
Speaker: Oskar MacGregor, Senior Lecturer of Cognitive Neuroscience, School of Bioscience, University of Skövde
Abstract: Although the historical development of the concept of privacy has never been altogether straightforward, conceptual work within information technology has sought to sidestep some of these issues by limiting their application of privacy to the domain of personal information. In this seminar, I briefly explain why such a limitation does not resolve the majority of the conceptual issues, as even though the move does suffice to establish the type of information privacy is thought to be about, it does nothing to indicate either how to demarcate relevant from irrelevant personal information, nor does it establish specifically when privacy does or does not hold in relation to such personal information. Any feasible definition of privacy will need to take these constraints into account, in order to be deployable in applied contexts.
Past PICS Seminars 2019
January
Date: 17 January 2019, 11.00-12:00 Place: Högskolan i Skövde Room: Portalen (P401)
Title: When we talk about privacy, what are we really talking about?
Speaker: PhD Oskar MacGregor, School of Bioscience, Högskolan Skövde
Abstract: Recent developments in areas such as data analysis, in combination with the staggering ubiquity of different forms of smart technology, have engendered renewed interest in individual privacy, in particular its ethical and legal dimensions. The concept of privacy itself is , however, deeply contested, in both philosophical (conceptual) and legal (applied) domains. This is partly due to the contingent specifics of its historical development, and partly due to the concept's emotional force. In this talk, I give an overview of these issues, in order to begin sketching an answer to the question: "When we talk about privacy, what are we really talking about?"
March
Date: 13 March 2019, 14.15-16.00 Place: Högskolan i Skövde Room: Portalen, Utsikten (P501)
Title: Dynamic Vulnerability Analysis in Cyberphysical Systems
Speaker: Yuning Jiang, PhD student
Abstract: The growth and the complexity scale of Cyber-Physical Systems (CPSs) are ever-evolving due to the fast expansion of networked applications in smart-x systems, which are overseeing critical infrastructures such as the smart-grid. These smart networked systems use a network of embedded sensors, platforms and actuators to perceive and affect a physical process that typically requires guaranteed quality-of-service performances provided by safety-critical applications. The confluence of sensors, platforms and networks is also nourishing the expansion of the emerging Internet of Things (IoT) area. However, these developments lead to increased surfaces that are vulnerable to cyberattacks.Since the capability of attackers and the trust in networked-components are subject to substantial variability, a dynamic-vulnerability assessment is advocated in this study, in contrast to traditional static-approaches.
Recent advances in data analytics prompt dynamic data-driven vulnerability assessments, whereby data contained and produced by CPS cyber-components include hidden traces of vulnerability fingerprints. However, the imprecise nature of vulnerability assessment and the huge volume of scanned data call for computational intelligence techniques to analyse such data. We first investigate computational models to capture semantic properties related to vulnerability concepts revolving around CPS components. This study reveals salient metrics and related measurements used to quantify CPS component vulnerabilities. We show the potential of applying fuzzy-logic techniques to diagnose vulnerability, and infer objective vulnerability scores. Then, we examine computational methods to extract meaning from text by mining online public-repositories of published vulnerabilities and discovering potential vulnerability-matches in a given CPS infrastructure. Graph-mining techniques are also explored to identify critical-assets of CPS infrastructure to weigh vulnerabilities, considering topological structures and functional features.
In this proposal, we explore the state of the art and highlight the drawbacks of current research approaches in CPS vulnerability assessment area, based on which, we build our research questions with the purpose to piece together solution elements for the stated problem. In doing so, computational intelligence techniques such as fuzzy-logic and machine-learning, are investigated in order (a) to reduce existing security management gaps induced by ad-hoc and subjective vulnerability auditing processes, (b) to narrow further the risk window induced by discoverable vulnerabilities, and (c) to increase the level of automation in vulnerability analysis, at various levels of the CPS architecture.
April
Date: 12 April 2019, 11.00-12.00 Place: Högskolan i Skövde Room: Portalen, Insikten
Title: The New Swedish Security law - a modern protection for us in a global world that is connected?
Speaker: Carl-Magnus Brandt, CISM, Actea
Abstract: The threat landscape and stability in our region has changed dramatically, what happens when the threat actors move from physical borders into the digital domain?
What has changed from the previous security law and why is this a new era? How can we face this new challenge?
Why is it important for you as a student in information security to be aware of this shift in power?
May
Date: 9 May 2019, 11.00-12.00 Place: Högskolan i Skövde Room: Portalen, Insikten
Title: Resilience to Cyber Attacks
Speaker: Sten F Andler, University of Skövde
Abstract: We present definitions and aspects of resilience as it relates to cyber attacks and other incidents in critical infrastructures that support vital societal services. The discussion is mainly based on a CIRI webinar on "Cyber Risk Scoring and Mitigation for Resilient Cyber Infrastructure", which was also presented at the 2019 CIRI Symposium on Resilience of Critical Infrastructures. From the same symposium we will also discuss measure business/economic resilience to disasters. We end by exploring resilience as a countermeasure to attacks exemplified by applications in mobile computing, in warfare, and in wireless networking.
December
Date: 5 December 2019, 13.00-14.00 Place: Högskolan i Skövde Room: Portalen, Utsikten
Title: The roles in the world of cyber criminals
Speaker: Fredrik Johansson, Check Point
Abstract: In this seminar, Fredrik will present how criminal organizations have built up their cybercrime operations with several suppliers. As part of their work, Check Point has mapped a number of criminal organizations and presents the results of this presentation.
Past PICS Seminars 2018
January
Date: 18 January 2018, 11:00-12:00 Place: Högskolan i Skövde Room: Portalen (P101)
Title: Applied Mathematics Seminar, Coding theory theme, Part 3: Self-dual codes
Speaker: Yohannes Tadesse, Högskolan i Skövde
Abstract: This is a continuation of the seminar series on code theory and this time we consider self-dual codes. The focus will mainly be construction/classification of self-dual codes and their relations with algebraic objects like groups and invariant rings. Concrete examples of the Hamming codes and the Golay codes, and some applications will be presented.
Date: 19 January 2018, 11:00-12:00 Place: Högskolan i Skövde Room: Portalen (P502)
Title: Threat Modeling and Resilience of Critical Infrastructures
Speakers: Yasine Atif, Manfred Jeusfeld, Jianguo Ding, Högskolan i Skövde
Abstract: The smart grid is the current trend to upgrade the ageing energy infrastructure leading to a further distribution of the energy market. However, alongside the expected enhancement in efficiency and reliability, the induced cyber-connectivity prompted by Supervisory Control And Data Acquisition (SCADA) systems that monitor critical infrastructures, expose the grid’s cyberphysical systems to potential cyberattacks. The inherent third-party devices in those cyberphysical systems have a significant dependency on digital communications, which raise concerns over a growing risk from cyberattacks. Conventional security approaches are limited by the scale of the grid and the velocity of data reporting dynamic energy flows. ELVIRA is a project supported by the European Fund on Internal Security (ISF) at University of Skövde, which aims at modelling the grid-infrastructure networks and developing a corresponding testbed facility for testing critical infrastructures’ resilience to cyberthreats. Situation-awareness, vulnerability assessments, and cascading-effects analysis due to cyber-threats are some of the core work-packages in ELVIRA project. In this seminar, we show a conceptual modelling approach to power-grid infrastructures, then discuss cyberthreat modelling for power-grid resilience, and finally reveal a cyberthreat-intelligence based design of the proposed testbed facility that use distributed agents for real-time simulation of cyberphysical-systems security.
February
Date: 1 February 2018, 10:15-11:45 Place: Högskolan i Skövde Room: Portalen (P502)
Title: Vulnerabilities and Countermeasures in Smart Grids
Speaker: Sten F Andler, Högskolan i Skövde
Abstract: We present two KTH papers on 1) a study of software vulnerabilities and weaknesses of cyber components in smart grids, and 2) an analysis of the effectiveness of attack countermeasures in such a system. The focus of both papers is on embedded devices in power substations and generation plants, typically controlled by a SCADA system (for Supervisory Control And Data Acquisition). The vulnerabilities study is on actual systems with intelligent components from major manufacturers. The study uses publicly available data on the types of systems and identified vulnerabilities and weaknesses from publicly available databases and the manufacturer’s websites. The study summarizes the types and severity of common vulnerabilities and shows that they mostly result from a small number of fairly simple weaknesses. It is also apparent that not all manufacturers are keen on disclosing their vulnerabilities and weaknesses. The analysis of countermeasures, on the other hand, constructs abstract models of typical electric power systems, based on publicly available information as well as expert elicitation and certain assumptions. The models are used to evaluate the overall cyber security posture and the effectiveness of protection strategies, using attack graph evaluation (securiCAD). In summary, the most effective measures are network securement (including passwords) and network segmentation (firewalls). Frequent patching is prohibitively expensive and running intrusion detection systems is not usually possible on the heterogeneous hardware. Our own approach in Elvira proposes to perform such intrusion analysis on a common operational picture, separate from the operational system, obtained by extracting data from the operational system itself.
See: Vulnerabilities and Countermeasures in Smart Grids (pdf)
Date: 7 February 2018, 10:15-11:30 Place: Högskolan i Skövde Room: Portalen (P101)
Title: Applied Mathematics Seminar, Coding theory theme, Part 4: Post-quantum cryptography with error-correcting codes
Speaker: Stefan Karlsson and Klara Stokes, Högskolan i Skövde
Abstract: In 1994 Shor showed that the integer factorization problem can be solved in polynomial time on a quantum computer. As a consequence, cryptographic public-key protocols relying on the integer factorization or the discrete logarithm problems, like the popular RSA and elliptic curve cryptography, are unsecure against attacks using quantum computers. Post-quantum cryptography is the research area studying cryptographic protocols that remain secure against such attacks. Code-based cryptography has arisen as a strong candidate for post-quantum cryptography. In this talk we explain how code-based cryptography works, we give a short historical background and a short current state-of-the art.
March
Date: 1 March 2018, 11:00-12:00 Place: Högskolan i Skövde Room: Portalen (P502)
Title: Information Security Management - what is it and why do we need it?
Speaker: Rose-Mharie Åhlfeldt, Högskolan i Skövde
Abstract: Information is an important tool in any organization. The consequence of losing critical information can be devastating to both organizations and individuals. The organization's information security requirements are based on internal business requirements, but also external requirements from stakeholders, legal and contractual requirements as well as industry requirements. In order to protect information in a proper way, organizations need to work systematically with information security. Information Security Management (ISM) is a systematic process of effectively coping with information security threats and risks in organizations. One way to work systematically with information security is therefore to implement an Information Security Management System (ISMS).
April
Date: 19 April 2018, 11:00-12:00 Place: Högskolan i Skövde Room: Portalen (P407)
Title: Cyber Deterrence
Speaker: Gazmend Huskaj.
Abstract: Cyber deterrence is a strategy employed to deter attackers from conducting cyber-attacks in the first place. However, several issues exist when implementing cyber deterrence. The findings show (1) non-existence of the deterrence strategy (2) no doctrine or decision competence to retaliate to an adversary, (3) the armed forces have no authority to retaliate when Swedish sovereignty in Cyberspace is threatened, (4) no norms or regulations exist concerning retaliation, (5) no clear governance on using offensive cyber capabilities, and finally, (6) no credibility in its cyber deterrence posture regarding how much Sweden is willing to sacrifice to protect its electoral system, which is a Swedish national interest. Therefore, this research investigates how cyber deterrence can practically be implemented in Swedish cyber security policy.
December
Date: 6 December 2018, 10:30-12:00 Place: Högskolan i Skövde Room: G207
Title: A Socio-Technical Modeling Approach to Secure Digital Transformation
Speaker: Prof Stewart Kowalski, NTNU, Norway
Abstract: We use a number of different types of models every day in their day-to-day work to protect their organization's information assets. For compliance work we often us a check-list model i.e. a table with a list of requirements with checks and evidence indicating if they are fully compliant, partially compliant, or even non complaint to the requirements. For capital expenditures on new security equipment we use the return on security investment model which is expressed as ROSI= (ALE * mitigation ratio Cost Security Solution/Cost of Security Solution). These models are suitable for solving a number of security problems.
However, these models can be problematic when formulating a secure digital transformation strategy that needs to be reviewed and communicated not only internally in an organization but also with digital partners and customers. To help support with the formulation and communication of a secure digital transformation strategy, Professor Stewart Kowalski presented a socio-technical modeling approach. The presentation covered three areas: history, theory and practice of socio-technical modeling.
Presentation from the seminar (pdf)
Past PICS Seminars 2017
February
Date: 24 February 2017Place: Högskolan i Skövde Room: G110
Title: Data privacy: an introduction
Speaker: Vicenç Torra and Klara Stokes, Högskolan i Skövde
Abstract: The Swedish government wants Sweden to be best in the world to take advantage of the possibilities of digitalization. Digitalization implies many advantages, but there are also problems. One important problem is the privacy of the citizen, the individual and the user of the system. Industry 4.0, pervasive computing, IoT, and big data, in general, all share the privacy concern. The consciousness of this problem has grown as the data driven services have become more and more important in our society. Recently, new laws and regulations were adopted, which implies great responsibilities for anyone who treat personal data, in business or in research. Data privacy studies and develops methods and tools for avoiding the disclosure of sensitive information about individuals from data. There are three communities working on technical solutions for data privacy. They are the Privacy preserving data mining (PPDM), the privacy enhancing technologies (PETs) and the statistical disclosure control (SDC) community. This talk will have two parts, one elementary introduction and a continuation. In the first part we introduce the area of data privacy and its applications. In the second part we will describe some of the privacy problems, and make a classification of tools for data privacy. Then, we will focus on database privacy, outlining the type of research problems we consider. In particular, we will mention privacy models and disclosure risk assessment methods, information loss measures, and data protection methods (also known as masking methods).
November
Date: 20 November 2017, 13:15-14:30 Place: Högskolan i Skövde Room: Portalen (Vänern/Vättern)
Title: Applied Mathematics Seminar, Error-correcting codes and applications
Speaker: Stefan Karlsson and Klara Stokes, Högskolan i Skövde
Abstract: In the transmission of information, errors occur. By coding the information before transmission using an error-correcting code, it is possible to correct such errors and to recover the sent information. Error-correcting codes are used in various applications like data storage, data transmission, data compression, and cryptography. This seminar is divided in two parts. The first part is an elementary introduction to linear error-correcting codes, with many simple examples. In the second part we will see examples of how error-correcting codes are used in some applications. SLIDES 2017-11-20 (pdf)
December:
Date: 15 December 2017, 11:00-12:00 Place: Högskolan i Skövde Room: Portalen (P101)
Title: Applied Mathematics Seminar, Coding theory theme, Part 2: Different types of codes
Speaker: Yohannes Tadesse, Högskolan i Skövde
Abstract: This is part of the Applied Mathematics Seminar series which deals with Coding theory. The speakers in the previous seminar talked about linear codes and some applications. As a continuation, in this seminar I will talk about some aspects of cyclic codes and Goppa codes and, if time allows, algebraic geometry codes. The talk is aimed at anyone with/out any background in the subject. So everyone is welcome!
Date: 11 December 2017, 09:00-10:00 Place: Högskolan i Skövde Room: Portalen (P502)
Title: Recent developments on integral privacy
Speaker: Navoda Senavirathne, Högskolan i Skövde
Abstract: Data privacy studies methods and tools to avoid the disclosure of sensitive information. Quite a few data privacy models have been introduced in the literature. They define when a data set can be considered protected and/or offer degrees of privacy. The definition of privacy models is a first step towards the definition of data protection mechanisms that are compliant with these models. Examples of privacy models include re-identification, k-anonymity, and differential privacy. Nowadays there exists a plethora of data protection methods for each of these models. Different data protection methods compete on the type of data to be considered (e.g., databases, streaming data), the quality of the protected data (e.g., low information loss), the level of privacy achieved. In a recent paper, we introduced the concept of integral privacy, which is based on the databases that are updated frequently. The definition of integral privacy is based on the idea that models inferred from a dataset should not allow disclosure on the training data or on how data has been updated (records deleted, records modified, etc.). In this talk, we will present the privacy model and our last results in this area.