International Journal on Cyber Situational Awareness (IJCSA)

Editor-in-Chief: Dr Cyril Onwubiko, Director, Artificial Intelligence, Blockchain & Cyber Security, Research Series, London, UK

Associate Editors: Professor Frank Wang, Professor of Future Computing, Chair IEEE Computer Society, UK & Ireland, School of Computing, University of Kent, Canterbury, UK

Professor Karen Renaud, Professor of Cyber Security, University of Abertay, Dundee, Scotland, UK

ISSN: (Print) 2057-2182  ISSN: (Online) 2633-495X

DOI: 10.22619/IJCSA

Published Bi-Annually. Est. 2014


The International Journal of Cyber Situational Awareness (IJCSA) covers innovative research on theoretical and practical aspects of Situational Awareness on Cyber Systems.  The journal focuses on the advancement of the principles, methods and applications of situational awareness to support, enable and facilitate advances in Cyber Systems, Business Information Systems (BIS), Computer Network Defence (CND), Computer Physical Systems (CPS), Enterprise Internet of Things (IoTs), Social Media, Cyber Incident Responses, Control, Containment and Countermeasures (CIRC3), Blockchain and Crypto, Cloud Computing, Chaotic and Emerging aspects of Computing.

IJCSA is a multiple peer reviewed international journal that provides academics, researchers and practitioners in academia, industries and government a platform and an opportunity to present original, innovative and cutting edge research outcomes. It is an open invitation to authors to publish their original and not previously published work. IJCSA is an open access publication, so all published papers are freely available online.

IJCSA is listed in most reputable bibliographic indexes including DBLP.

Table of Contents and List of Contributors

Article 35

GPS Jamming Signal Classification with CNN Feature Extraction in low Signal-to-Noise Environments

Carolyn J. Swinney and John C. Woods

The Global Positioning System (GPS) is a satellite constellation which gives users access to position, navigation and timing services. Many industries not only benefit from this but are reliant on it. Although illegal, GPS jamming devices have the power to cause major disruption to many services including financial, power distribution and communication systems. Recent testing assesses Global Navigation Satellite System (GNSS) jammers as being very dangerous to aircraft and Unmanned Aerial Vehicles (UAVs) especially those flying at low height. GNSS is also critical to the safe operation of Connected and Autonomous Vehicles (CAV) such as driverless cars. Timely detection of an attack is deemed to be enough to ensure the safety of the vehicle. Detection and classification of GNSS jamming signals is necessary to enable this. This paper considers feature extraction using a Convolutional Neural Network (CNN) when representing the signal as a graphical image. The JamDetect dataset is produced containing 6 different types of commercial jamming signals. Features are extracted using a CNN before a machine learning classifier is trained for classification. Results show that representing the signal in the graphical form of Power Spectral Density (PSD) is the least susceptible to noise. CNN feature extraction with machine learning classifier Logistic Regression using PSD produces 82.7% (+/-0.7%) at -20dB SNR and 100% accuracy at -10dB SNR. The results using PSD graphical signal representation are significant for when it is necessary to detect and classify GPS jamming signals in low SNR environments.

Article 36

Digital Forensic Readiness of Information Systems: A cost-benefit variable analysis

Antonis Mouhtaropoulos

Despite the increasing amount of research on the pre-incident side within a digital forensic investigation, little steps have been taken towards assessing the effectiveness of such a plan in terms of cost effectiveness. This research paper lays the foundations of a cost-benefit variable analysis within a digital forensic readiness context by defining a cost-benefit relationship effect model. We collect novel, primary data from organisations and institutions that implement a digital forensic readiness plan to identify cost variables of each measure and threat, and benefit variables of each measure to be taken. We conduct data analysis to portray that specific cost variables have a significant effect on specific benefit variables and present the results of the data collection process amongst organisations and institutions applying a digital forensic readiness plan. Lastly, we produce hypotheses testing results and determine the validity between each cost-benefit relationship.

Article 37

Multidimensional Cybersecurity Framework for Strategic Foresight

Cyril Onwubiko and Karim Ouazzane

Cybersecurity is now at the forefront of most organisations’ digital transformative agendas and National economic, social and political programmes. Hence its impact to society can no longer be seen to be one dimensional. The rise in National cybersecurity laws and regulations is a good indicator of its perceived importance to nations. And the recent awakening for social and ethical transparency in society and coupled with sustainability issues demonstrate the need for a paradigm shift in how cybersecurity discourses can now happen. In response to this shift, a multidimensional cybersecurity framework for strategic foresight underpinned on situational awareness is proposed. The conceptual cybersecurity framework comprising six domains – Physical, Cultural, Economic, Social, Political and Cyber – is discussed. The guiding principles underpinning the framework are outlined, followed by in-depth reflection on the Business, Operational, Technological and Human (BOTH) factors and their implications for strategic foresight for cybersecurity.

Article 31

Keep Calm and Carry on with Cybersecurity @Home: A Framework for Securing Homeworking IT Environment

Max Hashem Eiza, Romanus Izuchukwu Okeke, John Dempsey, Vinh-Thong Ta

For the first time in modern history, businesses had to suddenly facilitate homeworking for a large proportion, if not all, of their workforce because of COVID-19 pandemic. The fact that employees access sensitive corporate data from non-corporate networks opens the door wide for many cybersecurity risks that could result in data loss, breaches and consequently huge financial loss. Since the move was sudden, most businesses, especially small ones, did not have the time to assess their homeworking cybersecurity requirements. This paper aims to bridge this gap and propose a multi-layered framework that is focused on businesses’ requirements to guide cybersecurity @home activities. The framework can be also beneficial for businesses that currently have homeworking cybersecurity policies to assess their compliance with the framework and enrich it.

Article 32

Evaluation of Selected Stacked Ensemble Models for the Optimal Multi-class Cyber-Attacks Detection

Olasehinde Olayemi Oladimeji, Alese Boniface Kayode, Adetunmbi Adebayo Olusola & Aladesote Olomi Isaiah

The significant rise in the frequency and sophistication of cyber-attacks and their diversity necessitated various researchers to develop strong and effective approaches to address recurring cyber threat challenges. This study evaluated the performance of three selected meta-learning models for optimal multi-class detection of cyber-attacks using the University of New South Wales 2015 Network benchmark (UNSW-NB15) Intrusion Dataset. The results of this study show and confirm the ability of the three base models; Naive Bayes, C4.5 Decision Tree, and K-Nearest Neighbor for solving multi-class problems. It further affirms the knack of the duo of feature selection techniques and stacked ensemble learning to optimize ML models’ performances. The stacking of the predictions of the information gain base models with Model Decision Tree meta-algorithm recorded the most improved and optimal cyber-attacks detection accuracy and Mattew’s correlation Coefficient than the stacking with the Multiple Model Trees (MMT) and Multi Response Linear regression (MLR) Meta algorithms.

Article 33

The Cyber Insurance Market in Israel

Tal Pavel

Cyberspace poses many challenges threats and risks which, with the development of technology, are increasingly affecting all of us in terms of the scope, frequency, damage, immediate effects and long-term consequences. All these impact many sectors. Cyber insurance is one of the tools for managing these risks. Indeed, the cyber insurance market is developing around the world, but in many countries, as well as in Israel, it has not yet reached its full potential. This study examined the cyber insurance market in Israel by analyzing the existence of a cyber insurance service among insurance companies and agencies. In addition, it examined the reference to this market by various experts in this field. All the above has been done with the aim of establishing the degree of maturity of the market in Israel.
The findings of the study indicate that the cyber insurance market in Israel is not mature enough. Cyber insurance is not a popular product among companies to manage their cyber risks, mainly due to lack of information, knowledge, awareness among customers, insurance agencies, insurance companies, and government bodies. However, steps are being taken, mainly by Israel National Cyber Directorate (INCD), to empower insurance agents and their customers with relevant professional knowledge.

Article 34

CyberOps: Situational Awareness in Cybersecurity Operations

Cyril Onwubiko

Cybersecurity operations (CyberOps) is the use and application of cybersecurity capabilities to a domain, department, organisation or nation. It is fundamentally to protect digital investments, contribute to national economic wellbeing by providing a safe, secure and conducive environment to conduct business and to protect a nation’s critical national infrastructures and citizens welfare. In this paper, we investigate operational factors that influence situational awareness of CyberOps, specifically, the features that deals with understanding and comprehension of operational and human factors aspects and that helps with insights on human operator decision making (e.g., cognition, teamwork, knowledge, skills and abilities). The operational factors discussed in this paper range from tools, techniques, integration, architecture to automation, cognition, people, policy, process and procedures.

Article 24

Challenges towards Building an effective Cyber Security Operations Centre

Cyril Onwubiko and Karim Ouazzane

The increasing dependency of modern society on IT systems and infrastructures for essential services (e.g. internet banking, vehicular network, health-IT, etc.) coupled with the growing number of cyber incidents and security vulnerabilities have made Cyber Security Operations Centre (CSOC) undoubtedly vital. As such security operations monitoring is now an integral part of most business operations. SOCs (used interchangeably as CSOCs) are responsible for continuously and protectively monitoring business services, IT systems and infrastructures to identify vulnerabilities, detect cyber-attacks, security breaches, policy violations, and to respond to cyber incidents swiftly. They must also ensure that security events and alerts are triaged and analysed, while coordinating and managing cyber incidents to resolution. Because SOCs are vital, it is also necessary that SOCs are effective. But unfortunately, the effectiveness of SOCs are a widespread concern and a focus of boundless debate. In this paper, we identify and discuss some of the pertinent challenges to building an effective SOC. We investigate some of the factors contributing to the inefficiencies in SOCs and explain some of the challenges they face. Further, we provide and prioritise recommendations to addressing the identified issues.

Article 25

Situational Awareness: Examining Factors that Affect Cyber-Risks in the Maritime Sector

Kimberly Tam and Kevin D Jones

Standard risk assessments are used to define and prioritize threats within a sector. However, the rising number of cybersecurity risks in maritime are often temperamental to a range of environmental, technical, and social factors. A change during an incident can significantly alter the risks and, consequently, the incident outcomes. Therefore, agile, changing risk profiles are becoming more necessary in the modern world. In addition to static and dynamic, maritime operational risks can be affected by cyber, cyber-physical, or physical elements. This demonstrates the equal use of information and operational technology (IT/OT); however, most quantitative risk assessment frameworks focus on one or the other. This is not ideal, based on technological trends in the maritime sector. This article explores the factors that affect maritime cyber-risk and examines popular risk frameworks to see whether important maritime-related elements are unaccounted for. These findings are further examined with the results of a survey we conducted to assess the situational awareness of the sector around cyber-risks in maritime. Suggestions for future work on are then made based on our findings.

Article 26

Monitoring ‘Cyber Related’ Discussions in Online Social Platforms

Ruth Ikwu and Panos Louvieris

As the use of social platforms continues to evolve, in areas such as cyber-security and defence, it has become imperative to develop adaptive methods for tracking, identifying and investigating cyber-related activities on these platforms. This paper introduces a new approach for detecting “cyber-related” discussions in online social platforms using a candidate set of terms that are representative of the cyber domain. The objective of this paper is to build and evaluate these candidate terms for detection and tracking of cyber-related activities across various online platforms. The methodology presented in this paper applies natural language processing techniques to representative data from multiple social platforms to develop a representative cyber lexicon that can be applied to filter and text retrieval tasks in online social platforms. This paper also evaluates the terms’ performance in classifying discussions as ‘cyber-related’ or ‘non-cyber-related’. The results presented are most applicable to cyber threat monitoring and detection of malicious cyber activities in online social platforms.

Article 27

Concept and Practical Evaluation for Adaptive and Intelligible Prioritization for Network Security Incidents

Leonard Renners, Felix Heine, Carsten Kleiner, and Gabi Dreo Rodosek

Incident prioritization is nowadays a part of many approaches and tools for network security and risk management. However, the dynamic nature of the problem domain is often unaccounted for. That is, the prioritization is typically based on a set of static calculations, which are rarely adjusted. As a result, incidents are incorrectly prioritized, leading to an increased and misplaced effort in the incident response. A higher degree of automation could help to address this problem. In this paper, we explicitly consider flaws in the prioritization an unalterable circumstance. We propose an adaptive incident prioritization, which allows to automate certain tasks for the prioritization model management in order to continuously assess and improve a prioritization model. At the same time, we acknowledge the human analyst as the focal point and propose to keep the human in the loop, among others by treating understandability as a crucial requirement.

Article 28

Stress Amongst Novice Information Security Risk Management Practitioners

Erik Bergström and Martin Lundgren

Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.

Article 29

A blueprint and proof-of-concept for a national cyber security sensor network

Florian Skopik and Stefan Filip

The timely exchange of information on new threats and vulnerabilities has become a cornerstone of effective cyber defence in recent years. Especially national authorities increasingly assume their role as information brokers through national cyber security centres and distribute warnings on new attack vectors and vital recommendations on how to mitigate them. Although many of these initiatives are effective to some degree, they also suffer from severe limitations. Many steps in the exchange process require extensive human involvement to manually review, vet, enrich, analyse and distribute security information. Some countries have therefore started to adopt distributed cyber security sensor networks to enable the automatic collection, analysis and preparation of security data and thus effectively overcome limiting scalability factors. The basic idea of IoC-centric cyber security sensor networks is that the national authorities distribute Indicators of Compromise (IoCs) to organizations and receive sightings in return. This effectively helps them to estimate the spreading of malware, anticipate further trends of spreading and derive vital findings for decision makers. While this application case seems quite simple, there are some tough questions to be answered in advance, which steer the further design decisions: How much can the monitored organization be trusted to be a partner in the search for malware? How much control of the scanning process should be delegated to the organization? What is the right level of search depth? How to deal with confidential indicators? What can be derived from encrypted traffic? How are new indicators distributed, prioritized, and scan targets selected in a scalable manner? What is a good strategy to re-schedule scans to derive meaningful data on trends, such as rate of spreading? This paper suggests a blueprint for a sensor network and raises related questions, outlines design principles, and discusses lessons learned from small-scale pilots.

Article 30

Behavioral Cybersecurity: Investigating the influence of Patching Vulnerabilities in Markov Security Games via Cognitive Modeling

Zahid Maqbool, V. S. Chandrasekhar Pammi and Varun Dutt

Current research in cyber-security is not focused on human decision-making. The primary objective of this study is to address this gap and investigate how cognitive processes proposed by Instance-based Learning Theory (IBLT) like reliance on recency and frequency, attention to opponent’s actions, and cognitive noise are influenced by the effectiveness of vulnerability patching. Data involving participants performing as hackers and analysts was collected in a lab-based experiment in two patching conditions: effective (N = 50) and less-effective (N = 50). In effective (less-effective) patching, computer systems were in a non-vulnerable state (i.e., immune to cyber-attacks) 90% (50%) of the time after patching. An IBL model accounted for human decisions and revealed low (high) reliance on recency and frequency, attention to opponent’s actions, and cognitive noise for hacker (analyst) in effective patching. Whereas, it revealed opposite results for less-effective patching. We highlight the implications of our findings for cyber decision-making.

Article 18

Understanding Cyber Situational Awareness in a Cyber Security Game involving Recommendations

Palvi Aggarwal, Frederic Moisan, Cleotilde Gonzalez, Varun Dutt

Intrusion Detection Systems (IDSs) help in creating cyber situational awareness for defenders by providing recommendations. Prior research in simulation and game-theory has revealed that the presence and accuracy of IDS-like recommendations influence the decisions of defenders and adversaries. In the current paper, we present novel analyses of prior research by analyzing the sequential decisions of defenders and adversaries over repeated trials. Specifically, we developed computational cognitive models based upon Instance-Based Learning Theory (IBLT) to capture the dynamics of the sequential decisions made by defenders and adversaries across numerous conditions that differed in the IDS’s availability and accuracy. We found that cognitive mechanisms based upon recency, frequency, and variability helped account for adversarial and defender decisions better than the optimal Nash solutions. We discuss the implications of our results for adversarial-and-defender decisions in the cyber-world. …

Article 19

When to Treat Security Risks with Cyber Insurance

Per Håkon Meland and Fredrik Seehusen

Transferring security risk to a third party through cyber insurance is an unfamiliar playing field for a lot of organisations, and therefore many hesitate to make such investments. Indeed, there is a general need for affordable and practical ways of performing risk quantification when determining risk treatment options. To address this concern, we propose a lightweight, data-driven approach for organisations to evaluate their own need for cyber insurance. …

Article 20

Threat Detection and Analysis in the Internet of Things using Deep Packet Inspection

Christopher D. McDermott, William Haynes, Andrei V. Petrovksi

The Internet of Things (IoT) has quickly transitioned from a promising future paradigm to a pervasive everyday reality. Many consumer IoT devices often lack adequate security and are increasingly being leveraged to perform DDoS attacks. To improve situational awareness of such attacks amongst consumers, this paper presents two solutions to the detection of botnet activity within consumer IoT devices and networks. First, a detection model is built using Term Frequency-Inverse Document Frequency (tf-idf) and analyses network traffic for semantic structure. …

Article 21

Dynamic Analysis of Ransomware using Opcodes and Opcode Categories

Domhnall Carlin, Philip O’Kane, Sakir Sezer

The explosion of ransomware in recent years has served as a costly re-minder that the malware threatscape has moved from that of socially-inept hobbyists to career criminals. This paper investigates the efficacy of dynamic opcode analysis in distinguishing cryptographic ransom-ware from benignware, and presents several novel contributions. Firstly, a new dataset of cryptoransomware dynamic run-traces, the largest of its kind in the literature. We release this to the wider research community to foster further research in the field. …

Article 22

Putting Things in Context: Securing Industrial Authentication with Context Information

Simon Duque Anton, Daniel Fraunholz, Christoph Lipps, Khurshid Alam, and Hans Dieter Schotten

The development in the area of wireless communication, mobile and embedded computing leads to significant changes in the application of devices. Over the last years, embedded devices were brought into the consumer area creating the Internet of Things. Furthermore, industrial applications increasingly rely on communication through trust boundaries. Networking is cheap and easily applicable while providing the possibility to make everyday life more easy and comfortable and industry more efficient and less time-consuming. One of the crucial parts of this interconnected world is sound and secure authentication of entities. …

Article 23

Heuristic Methods for Efficient Identification of Abusive Domain Names

Egon Kidmose, Erwin Lansing, Søren Brandbyge, Jens Myrup Pedersen

Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cyber-criminals also make use of these to fulfill their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. We relate this to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. WHOIS data is collected for 10.000 second level domains for 66 days, heuristics are applied, and the resulting rankings guide a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, and still identify 5 domains which are actively abused during our observation period. …

Article 12

Towards Network Science Enhanced Cyber Situational Awareness

Geoffrey B. Dobson, Timothy J. Shimeall and Kathleen M. Carley

A dynamic network analysis is conducted on network flow data to demonstrate an improvement in cyber situational awareness. The analysis begins by collecting network-level data (density, network centralization total degree, and fragmentation) on samples of network flow data using the SiLK collection and analysis suite. The next phase categorized the data into four types: autonomic inflow, autonomic outflow, human inflow, and human outflow.  Using the CASOS tool ORA, a series of dynamic network analyses were performed on each hour of the data. …

Article 13

YAAS – On the Attribution of Honeypot Data

Daniel Fraunholz, Daniel Krohmer, Simon Duque Antón, and Hans Dieter Schotten

One of the major issues in digital forensics and attack analysis is the attribution of an attack to a type of malicious adversary. This is especially important to determine the relevance of an incident with respect to the threat it poses to a system. In this work, a holistic scheme to derive characteristics from honeypot data and to map this data to an attacker model is introduced. This scheme takes data that is provided by deception systems of any kind …

Article 14

The Valleys of Death in Refugee Crisis

Jasmina Marić

The paper analyses the risks of a potential “Valley of Death” in the development of ICT (Information and Communication Technology) for refugees’ social integration. Today’s refugee crisis is distinct from previous ones because of the remarkable refugees’ reliance on technology. While academic literature widely accepts that ICT deployment is especially relevant to refugees’ social integration, little is done in terms of understanding that ICT impact requires a convergence of conditions of which ICT is only one of them. The paper questions the extent to which discrepancy between the ICT demand and supply creates a vacuum in the field of ICT for social inclusion. …

Article 15

Epidemic Response Model for Malware Defense on Computer Networks

Timilehin B. Aderinola, Aderonke F. Thompson, and Boniface K. Alese

The Internet came with serious security vulnerabilities. Now, malicious individuals may gain unauthorized access to protected resources and disrupt network services by using malicious software, also known as malware. Most malware rapidly self-propagate within a network like an infectious disease. The classical epidemic model has been applied to study malware epidemics in computer networks. This study adapted the Susceptible-Infected-Susceptible (SIS) epidemic model to design a defense response model for computer networks and analyse the model obtained using a game theoretic approach of the attacker and defender. …

Article 16

Transparent password policies: A case study of investigating end-user situational awareness

Alberto Bullo, Eliana Stavrou and Stavros Stavrou

Transparent password policies are utilized by organizations in an effort to ease the end-user (e.g. customer) from the burden of configuring authentication settings while maintaining a high level of security. However, authentication transparency can challenge security and usability and can impact the awareness of the end-users with regards to the protection level that is realistically achieved. For authentication transparency to be effective, the triptych security – usability – situational awareness should be considered when designing relevant security solutions / products. Although various efforts have been made in the literature, the usability aspects of the password selection process are not well understood or addressed in the context of end-user situational awareness. This research work specifies three security and usability-related strategies that represent the organizations’, the end users’ and the attackers’ objectives with regards to password construction. …

Article 17

Insight: An Application of Information Visualisation Techniques to Digital Forensics Investigations

Gavin Hales, Ian Ferguson,  and Jacqueline Archibald

As digital devices are becoming ever more ubiquitous in our day to day lives, more of our personal information and behavioural patterns are recorded on these devices. The volume of data held on these devices is substantial, and people investigating these datasets are facing growing backlog as a result. This is worsened by the fact that many software tools used in this area are text based and do not lend themselves to rapid processing by humans.  This body of work looks at several case studies in which these datasets were visualised in attempt to expedite processing by humans. A number of different 2D and 3D visualisation methods were trialled, and the results from these case studies fed into the design of a final tool which was tested with the assistance of a group of individuals studying Digital Forensics. …

Article 1

Understanding Cyber Situation Awareness

Cyril Onwubiko

Historically, situation awareness has been applied to mainstream disciplines such as psychology, air traffic control, and aviation. This trend has since changed. Situation awareness has expanded now into the Cyber domain such as social media, vehicular networks (VANET), cybersecurity, CERTs and computer network defense (CND) etc.  …

Article 2

A Public-Private-Partnership Model for National Cyber Situational Awareness

Timea Pahi and Florian Skopik

The information age has led to the merger of various infrastructures, from both business and governmental sectors and their functions, such as information technology, communication and transport systems, banking and finance, energy supply and process control systems. …

Article 3

Visual Analytics for Non-Expert Users in Cyber Situation Awareness

Philip Legg

The information age has led to the merger of various infrastructures, from both business and governmental sectors and their functions, such as information technology, communication and transport systems, banking and finance, energy supply and process control systems. …

Article 4

A Study on Situational Awareness Security and Privacy of Wearable Health Monitoring Devices

Xavier Bellekens, Kamila Nieradzinska, Alexandra Bellekens, Preetila Seeam, Andrew Hamilton and Amar Seeam

Situational Awareness provides a user centric approach to security and privacy. The human factor is often recognised as the weakest link in security, therefore situational perception and risk awareness play a leading role in the adoption and implementation of security mechanisms. In this study we assess the understanding of security and privacy of users in possession of wearable devices. …

Article 5

Instant Message Classification in Finnish Cyber Security Themed Free-Form Discussion

Samir Puuska, Matti J. Kortelainen, Viljami Venekoski and Jouko Vankka

Instant messaging enables rapid collaboration between professionals during cyber security incidents. However, monitoring discussion manually becomes challenging as the number of communication channels increases. Failure to identify relevant information from the free-form instant messages may lead to reduced situational awareness. In this paper, the problem was approached by developing a framework for classification of instant message topics of cyber security–themed discussion in Finnish. …

Article 6

Predicting the performance of users as human sensors of security threats in social media

Ryan Heartfield and George Loukas

While the human as a sensor concept has been utilised extensively for the detection of threats to safety and security in physical space, especially in emergency response and crime reporting, the concept is largely unexplored in the area of cyber security. Here, we evaluate the potential of utilising users as human sensors for the detection of cyber threats, specifically on social media. For this, we have conducted an online test and accompanying questionnaire-based survey, which was taken by 4,457 users. …

Article 7

Leveraging Biometrics for Insider Misuse Identification

Abdulrahman Alruban, Nathan Clarke, Fudong Li and Steven Furnell

Insider misuse has become a real threat to many enterprises in the last decade. A major source of such threats originates from those individuals who have inside knowledge about the organization’s resources. Therefore, preventing or responding to such incidents has become a challenging task. Digital forensics has grown into a de-facto standard in the examination of electronic evidence, which provides a basis for investigating incidents. …

Article 8

Attack Simulation based Software Protection Assessment Method with Petri Net

Gaofeng Zhang, Paolo Falcarin, Elena Gómez-Martínez, Shareeful Islam, Christophe Tartary, Bjorn De Sutter and Jérôme d’Annoville  

Software protection is an essential aspect of information security to withstand malicious activities on software, and preserving valuable software assets. However, software developers still lack an effective methodology for the assessment of deployed protections, especially in the area of mobile applications. To solve these issues, we present a novel attack simulation based software protection assessment method to evaluate and compare different protection solutions. Our solution relies on Petri Nets to specify and visualize attack models of mobile applications. …

Article 9

Detecting bots using multi-level traffic analysis

Matija Stevanovic and Jens Myrup Pedersen

Botnets, as networks of compromised “zombie” computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. …

Article 10

A Review of Significance of Energy-Consumption Anomaly in Malware Detection in Mobile Devices

Jameel Qadri, Thomas M. Chen and Jorge Blasco

Mobile devices, such as smartphones, have become an important part of modern lives. However, as these devices have tremendously become popular they are attracting a range of attacks. Malware is one of the serious threats posed to smartphones by the attackers. Due to the limited resources of mobile devices malware detection on these devices remains a challenge. Malware detection techniques based on energy-consumption anomaly present several advantages to circumvent the resource constraints of mobile devices. …

Article 11

N-gram Opcode Analysis for Android Malware Detection

BooJoong Kang, Suleiman Y. Yerima, Sakir Sezer and Kieran McLaughlin

Android malware has been on the rise in recent years due to the increasing popularity of Android and the proliferation of third party application markets. Emerging Android malware families are increasingly adopting sophisticated detection avoidance techniques and this calls for more effective approaches for Android malware detection. …

Topics Covered

Situational Awareness for Computer Networks Defense

  • Computer Network Defense
  • Cyber Situation Awareness
  • Correlation & Automation

Collaborative Situation Awareness for Decision Making

  • Collaborative Defense Approach
  • Situation Assessment & Decision Making

Defense Strategy for the Enhancement of Situational Awareness

  • Risk Management, Governance and Compliance
  • Trust, Privacy and Anonymity Issues
  • Digital Forensic Information Analysis
  • Enterprise Information Security Policies, Standards and Procedures
  • Risks posed by Wireless Networks, including through the use of Mobile Computing, BYOD, Wearable in CND environment

Cyber Situational Awareness Tools & Techniques

  • Fuzzy Logic
  • Rough Set
  • Artificial Neural Networks
  • Artificial Intelligence (AI)
  • Machine Learning (ML)
  • Deep Learning (DL)
  • Deep Reinforcement Learning (DRL)
  • Evolutionary Computing
  • Genetic Algorithm
  • Evidence Theory (DST)
  • Bayesian Networks & Set Theory
  • Big Data Analytics
  • Game Theory
  • Graph Theory

Network Situational Awareness

  • Cyber Attack Scenarios
  • Situation-Aware and Context-Aware Network Applications
  • CERTs and CSIRTs
  • Security Event and Information Management
  • Application Security, Audits and Penetration Testing

Human Factor Cognitive

  • Workload
  • Perception
  • Stress
  • Knowledge
  • Training and Expertise
  • Risk Assessment and Decision Making
  • Forecasting and Prediction
  • Operator SA& Team SA

National and Critical Infrastructure Security Issues

  • Information Security
  • Cyber Security
  • Database Security
  • Application Security
  • Law Enforcement and Surveillance
  • Border Protection and Controls
  • Cyber Warfare and Counter Terrorism

Situation Awareness in Military Operations

  • Military Doctrinal in Situation Awareness
  • C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance)
  • Computer Network Operations
  • Computer Network Defense
  • Mission Awareness, Command and Control

Analysis of Large-Scale Internet Traffic

  • Attack Graphs
  • Advanced Security Incident Analysis
  • Sensor Correlation and Cross-Correlation
  • Implementing Situational Awareness Systems
  • Information Security Metrics and Measurements

Web Traffic Characterisation

  • Intrusion Detection Systems
  • Traffic Characterisation Techniques
  • Web Analytics
  • Security Incident Response

Cyber Situational Awareness Frameworks

  • Proactive Defense Strategies
  • Instance-Based Learning
  • Adaptive Neural Logic
  • Human-Assisted Decision Control
  • Human in the Loop
  • Automated Self-Responder

Fusion Centres

  • Tools for Metric Optimisation
  • Visualisation and Digital Analytics
  • Data Mining
  • Filtration, Selection, and Risk-Based Prioritisation
  • Metrics for Evaluation and Assessment

Situational Awareness Applications

  • Situational Awareness in C4ISR
  • Situational Awareness in Cyber Command and Control Centres
  • Situational Awareness in Intrusion Defense
  • Situational Awareness in Cyber Physical Systems (CPS)
  • Situational Awareness for Internet of Things (IoTs), Enterprise Internet of Things (EIoTs)
  • Open Source Applications

Designing Cyber Situational Awareness Solutions and Services

  • Functional Requirements for Situation-aware services
  • Non-Functional Requirements for Situation-aware Services and solutions
  • Interface Design
  • Interoperability
  • Dynamism
  • Complexity
  • Performance
  • Automation
  • Realtime Processing

Usefulness of Multisensor Data Fusion

  • Information Data Fusion
  • Sensor Fusion for Security Incident Analysis
  • Security Incident Analysis
  • Data Association & Correlation
  • Security Information Visualisation
  • Data Analytics
  • Security Monitoring

Situational Awareness Training

  • Research and development in Situational Awareness
  • Simulation and Testbeds in Cyber Situation Awareness
  • Experimentation & Instrumentation
  • Modelling
  • Knowledge-base
  • Theoretical Underpinnings in Situation Awareness

Mission and Scope

The International Journal on Cyber Situational Awareness (IJCSA) is a comprehensive reference journal, dedicated to disseminating the most innovative, systematic, topical and emerging theory, methods and applications of Situational Awareness (SA) across Cyber Systems, Cyber Security, Cyber Physical Systems, Computer Network Defence, Enterprise Internet of Things (EIoT), Security Analytics, Intelligence and Crypto systems to students, scholars, and academics, as well as industry practitioners, engineers and professionals.

The International Journal of Cyber Situational Awareness (IJCSA) covers innovative research on theoretical and practical aspects of Situational Awareness on Cyber Systems.  The journal focuses on the advancement of the principles, methods and applications of situational awareness to support, enable and facilitate advances in Cyber Systems, Business Information Systems (BIS), Computer Network Defence (CND), Computer Physical Systems (CPS), Enterprise Internet of Things (IoTs), Social Media, Cyber Incident Responses, Control, Containment and Countermeasures (CIRC3).

Possible Readership/Audience

The primary audience for this journal are industry professionals, scholars, researchers and academies working in this fast evolving and emerging discipline. Practitioners and managers working in information technology and cyber security across all industries would vastly improve their knowledge and understanding of critical human and social aspects of situational awareness and computer network defence, human computer interface (HCI) and information security in general. Air space controllers and defence agencies will also find this journal a very helpful and practical resource.

Competing Journals (list of current competition publication)

There are no competing journals in this unique and specialist area, especially those focusing on the application of situation awareness to Cyber Security (CS), Cyber Physical Systems (CPS), and Cyber Incident Responses, Control, Containment and Countermeasures (CIRC3).

Frequency of Publication

Twice a year Journal

Editorial Board


Dr. Cyril Onwubiko
Director – Enterprise Security Architecture, Pearson
Director – Artificial Intelligence, Blockchain & Cyber Security, Research Series, London, UK
Distinguished Speaker – IEEE Computer Society
Past Secretary – IEEE UK & Ireland
Founding Past Chair – IEEE UK & Ireland Blockchain Group


Associate Editors

Professor Karen Renaud
Professor of Cyber Security
University of Abertay, Dundee
Scotland, UK

Professor Frank Wang
Professor of Future Computing
Chair – IEEE Computer Society, UK & Ireland
School of Computing, University of Kent, Canterbury, UK

Editorial Board Members

Dr. Janne Merete Hagen
Norwegian Defence Research Establishment (FFI)

Dr. Nick Savage
Communication Networks and Security Department
University of Portsmouth, UK

Dr. Andrew Lenaghan
Oxford University, Oxford, UK

Dr. Xavier Bellekens
Computer Security & Privacy
University of Abertay, Scotland, UK

Professor Cleotilde Gonzalez
Department of Social and Decision Sciences
Carnegie Mellon University, USA

Dr. Mahmoud Hashem Eiza
School of Physical Sciences and Computing
University of Central Lancashire, Preston, UK

Dr. Ciza Thomas
Electronics and Communication Department,
College of Engineering, Trivandrum, INDIA

Professor Varun Dutt
Associate Professor
School of Computing and Electrical Engineering
Indian Institute of Technology Mandi, INDIA

Professor Stefanos Gritzalis
Professor at the Department of Information and Communication Systems Engineering
University of the Aegean, GREECE

Professor Martin Gilje Jaatun
Adjunct Professor
University of Stavanger, NORWAY

Dr. Carolina Nogeuira
disco | distributed computer systems lab computer science department tu kaiserslautern

Dr. Arnau Erola
Department of Computer Science
University of Oxford, UK

Important Notes before submitting your manuscripts

  1. Please read the submission guidelines before making a submission.
  2. Only original and previously unpublished manuscripts must be submitted to the IJCSA journal.
  3. All accepted manuscripts will be checked against plagiarism using a number of sources.
  4. We only consider/accept manuscripts dedicated and/or relating to Situational Awareness. We do NOT accept general purpose Cyber Security contributions. The IJCSA is solely dedicated to Cyber Situational Awareness; hence some excellent contributions relating to general purpose computing alone will be rejected.
  5. All manuscripts must be prepared following the IJCSA paper template.
  6. All manuscripts are subjected to multiple peer reviews, and revisions may take longer than anticipated.



We are always receiving article submissions for future volumes and numbers, please check the submission guidelines.

  1.  We are now receiving manuscripts for the IJCSA Vol. 6, 2021 journal.
  2.  Papers can be submitted online using the ConfTool portal.
  3.  Paper submission template can be downloaded from this link.
  4.  Paper preparation guidelines can be found on this link.