Journal of Cybersecurity and Privacy

Intrusion Detection Systems (IDS) play a vital role in safeguarding networks, yet their effectiveness is often challenged, as cyberattacks evolve in new and unexpected ways. Machine learning models, although very powerful, usually perform well only on data that closely resembles what they were trained on. When faced with unfamiliar traffic, they often misclassify. In this work, we examine this generalization gap by training IDS models on one Denial-of-Service (DoS) variant, DoS Hulk, and testing them against other variants such as Goldeneye, Slowloris, and Slowhttptest. Our approach combines careful preprocessing, dimensionality reduction with Principal Component Analysis (PCA), and model training using Random Forests and Deep Neural Networks. To better understand model behavior, we tuned decision thresholds beyond the default 0.5 and found that small adjustments can significantly affect results. We also applied Shapley Additive Explanations (SHAP) to shed light on which features the models rely on, revealing a tendency to focus on fixed components that do not generalize well. Finally, using Uniform Manifold Approximation and Projection (UMAP), we visualized feature distributions and observed overlaps between training and testing datasets, but these did not translate into improved detection performance. Our findings highlight an important lesson: visual or apparent similarity between datasets does not guarantee generalization, and building robust IDS requires exposure to diverse attack patterns during training. Full article

The General Data Protection Regulation (GDPR) imposes additional demands and obligations on service providers that handle and process personal data. In this paper, we examine how advanced cryptographic techniques can be employed to develop a privacy-preserving solution for ensuring GDPR compliance in Industrial Internet of Things (IIoT) systems. The primary objective is to ensure that sensitive data from IIoT devices is encrypted and accessible only to authorized entities, in accordance with Article 32 of the GDPR. The proposed system combines Decentralized Attribute-Based Encryption (DABE) with smart contracts on a blockchain to create a decentralized way of managing access to IIoT systems. The proposed system is used in an IIoT use case where industrial sensors collect operational data that is encrypted according to DABE. The encrypted data is stored in the IPFS decentralized storage system. The access policy and IPFS hash are stored in the blockchain’s smart contracts, allowing only authorized and compliant entities to retrieve the data based on matching attributes. This decentralized system ensures that information is stored encrypted and secure until it is retrieved by legitimate entities, whose access rights are automatically enforced by smart contracts. The implementation and evaluation of the proposed system have been analyzed and discussed, showing the promising achievement of the proposed system. Full article

This study proposes methods of computer simulation to study and optimize the cybersecurity of Small Modular Nuclear Reactors (SMRs). SMRs hold the potential to help build a clean and sustainable power grid but will struggle to gain widespread adoption without public confidence in their security. SMRs are emerging technologies and potentially carry higher cyber threats due to remote operations, large numbers of cyber-physical systems, and cyber connections with other industrial concerns. A method of agent-based computer simulations to model the effects, or payoff, of collaboration between cyber defenders, power plants, and cybersecurity vendors is proposed to strengthen SMR cybersecurity as these new power generators enter into the market. The agent-based model presented in this research is intended to illustrate the potential of using simulation to model a payoff function for collaborative efforts between stakeholders. Employing simulation to heighten cybersecurity will help to safely leverage the potential of SMRs in a modern and low-emission energy grid. Full article

Known attacks on the tropical implementation of Stickel protocol involve finding minimal covers for a certain covering problem, and this leads to an exponential growth in the worst case time required to recover the secret key as the used polynomial degree increases. The computational inefficiency of this attack is also observed in practice, unless the number of explored covers is limited, on the expense of the success rate of the attack. Consequently, it can be argued that Alice and Bob can still repel these attacks on tropical Stickel protocol by utilizing very high polynomial degrees, a feasible approach due to the efficiency of tropical operations. The same is true for the implementation of Stickel protocol over some other semirings with idempotent addition (such as the max–min or digital semiring). In this paper, we propose alternative methods to attack the Stickel protocols that avoid solving the covering problem. These methods involve framing the attacks as a mixed integer linear programming (MILP) problem or applying certain heuristic global optimization techniques. We also include a number of numerical experiments to analyze the success rate and the time required to execute the suggested attacks in practice. Full article

This study investigates the evolution of cybercrime in Greece by analyzing data from the Cyber Crime Division of the Hellenic Police. By combining 2023 statistics with earlier national and international data (e.g., Europol, FBI), this study presents a comprehensive 15-year view of cybercrime trends. Key findings highlight a persistent rise in cyber incidents, with financial fraud as the most common type. Other major threats include unauthorized system access, data breaches, and crimes targeting vulnerable populations. The study assesses national legislation aligned with EU directives and outlines stakeholder roles. It underscores the need for adaptive legal frameworks, inter-agency cooperation, and public awareness to mitigate Greece’s growing cybersecurity challenges. Full article

As more machine learning models are used in sensitive fields like healthcare, finance, and smart infrastructure, protecting structured tabular data from privacy attacks is a key research challenge. Although several privacy-preserving methods have been proposed for tabular data, a comprehensive comparison of their performance and trade-offs has yet to be conducted. We introduce and empirically assess a combined defense system that integrates differential privacy, federated learning, adaptive noise injection, hybrid cryptographic encryption, and ensemble-based obfuscation. The given strategies are analyzed on the benchmark tabular datasets (ADULT, GSS, FTE), showing that the suggested methods can mitigate up to 50 percent of model inversion attacks in relation to baseline models without decreasing the model utility (F1 scores are higher than 0.85). Moreover, on these datasets, our results match or exceed the latest state-of-the-art (SOTA) in terms of privacy. We also transform each defense into essential data privacy laws worldwide (GDPR and HIPAA), suggesting the best applicable guidelines for the ethical and regulation-sensitive deployment of privacy-preserving machine learning models in sensitive spaces. Full article

Cybersecurity management plays a key role in preserving the operational security of nuclear power plants (NPPs), ensuring service continuity and system resilience. The growing number of sophisticated cyber-attacks against NPPs requires cybersecurity experts to detect, analyze, and defend systems and data from cyber threats in near real time. However, managing a large numbers of attacks in a timely manner is impossible without the support of Artificial Intelligence (AI). This study recognizes the need for a structured and in-depth analysis of the literature in the context of NPPs, referring to the role of AI technology in supporting cyber risk assessment processes. For this reason, a systematic literature review (SLR) is adopted to address the following areas of analysis: (i) critical assets to be preserved from cyber-attacks through AI, (ii) security vulnerabilities and cyber threats managed using AI, (iii) cyber risks and business impacts that can be assessed by AI, and (iv) AI-based security countermeasures to mitigate cyber risks. The SLR procedure follows a macro-step approach that includes review planning, search execution and document selection, and document analysis and results reporting, with the aim of providing an overview of the key dimensions of AI-based cybersecurity in NPPs. The structured analysis of the literature allows for the creation of an original tabular outline of emerging evidence (in the fields of critical assets, security vulnerabilities and cyber threats, cyber risks and business impacts, and AI-based security countermeasures) that can help guide AI-based cybersecurity management in NPPs and future research directions. From an academic perspective, this study lays the foundation for understanding and consciously addressing cybersecurity challenges through the support of AI; from a practical perspective, it aims to assist managers, practitioners, and policymakers in making more informed decisions to improve the resilience of digital infrastructure. Full article

Cyber-physical infrastructures such as hospitals and smart campuses face hybrid threats that target both digital and physical domains. Traditional security solutions separate surveillance from network monitoring, leaving blind spots when attackers combine these vectors. This paper introduces ARGUS, an autonomous robotic platform designed to close this gap by correlating cyber and physical anomalies in real time. ARGUS integrates computer vision for facial and weapon detection with intrusion detection systems (Snort, Suricata) for monitoring malicious network activity. Operating through an edge-first microservice architecture, it ensures low latency and resilience without reliance on cloud services. Our evaluation covered five scenarios—access control, unauthorized entry, weapon detection, port scanning, and denial-of-service attacks—with each repeated ten times under varied conditions such as low light, occlusion, and crowding. Results show face recognition accuracy of 92.7% (500 samples), weapon detection accuracy of 89.3% (450 samples), and intrusion detection latency below one second, with minimal false positives. Audio analysis of high-risk sounds further enhanced situational awareness. Beyond performance, ARGUS addresses GDPR and ISO 27001 compliance and anticipates adversarial robustness. By unifying cyber and physical detection, ARGUS advances beyond state-of-the-art patrol robots, delivering comprehensive situational awareness and a practical path toward resilient, ethical robotic security. Full article

The rapid expansion of mobile financial services (MFSs) has brought about benefits in terms of financial inclusion in developing countries; however, threats have also emerged on the sides of cybersecurity and privacy. Traditional fraud-detection strategies are usually not responsive in time or adaptive to changing threat scenarios. This study investigates how artificial intelligence (AI) can be employed to strengthen fraud detection and methods to address user privacy concerns within MFS platforms in emerging markets. A mixed-method approach was adopted, i.e., a quantitative survey (n = 151) and a qualitative analysis of open-ended response. A reliability analysis showed internal consistency (Cronbach’s alpha > 0.70 across constructs). The descriptive results demonstrate that 95.4% of those questioned raised privacy concerns, whereas 78.2% recognized the benefits of AI-driven fraud detection. Regression analysis showed that AI significantly improved perceived security (β = 0.63, p < 0.01), although transparency and explainability were critical determinants of trust. The findings indicate that users consider AI a capable real-time fraud detection tool; however, doubts remain regarding data transparency, sharing with third parties, and lack of user-opted control, resulting in the erosion of user trust. The study also indicates that the socio-cultural factors and weak regulatory contexts weigh heavily on users’ acceptance of these AI-powered systems. This study proposes the promotion of Explainable AI (XAI) systems along with privacy-by-design user controls and localized communication approaches to foster trust and further adoption. The study contained within are thus a critical guide for policymakers, fintech developers, and providers, who seek to innovate with user protection within digital fintech. Full article

The growing reliance on satellite-based infrastructures for communication, navigation, defense, and environmental monitoring has magnified the urgency of securing Space Information Networks (SINs) against cyber threats. This paper presents a comprehensive review of the vulnerabilities, threat vectors, and advanced countermeasures impacting SINs. Key vulnerabilities, including system complexity, use of Commercial Off-the-Shelf (COTS) components, lack of standardized security frameworks, and emerging quantum threats, are critically analyzed. This paper classifies cyber threats into active and passive categories, highlighting real-world case studies such as Denial-of-Service attacks, message modification, eavesdropping, and satellite transponder hijacking. A detailed survey of countermeasures follows, focusing on AI-driven intrusion detection, federated learning approaches, deep learning techniques, random routing algorithms, and quantum-resistant encryption. This study emphasizes the pressing need for integrated, resilient, and proactive security architectures tailored to the unique constraints of space systems. It concludes by identifying research gaps and recommending future directions to enhance the resilience of SINs against evolving cyber threats in an increasingly contested space environment. Full article

Prior work has shown that Translation Lookaside Buffer (TLB) data contains valuable behavioral information. Many existing methodologies rely on timing features or focus solely on workload classification. In this study, we propose a novel approach to malware classification using only TLB-related Hardware Performance Counters (HPCs), explicitly excluding any dependence on timing features such as task execution duration or memory access timing. Our methodology evaluates whether TLB data alone, without any timing information, can effectively distinguish between malicious and benign programs. We test this across three classification scenarios: (1) A binary classification problem involving distinguishing malicious from benign tasks, (2) a 4-way classification problem designed to improve separability, and (3) a 10-way classification problem with classes of individual benign and malware tasks. Our results demonstrate that even without execution time or memory access timing, TLB events achieve up to 81% accuracy for the binary, and 72% accuracy for the 4-class grouping, and 61% accuracy for the 10-class grouping. These findings demonstrate that time-independent TLB patterns can serve as robust behavioral signatures. This work expands the understanding of microarchitectural side effects by demonstrating that TLB-only features, independent of timing-based techniques, can be effectively used for real-world malware detection. Full article

Ensuring data privacy and security in sensitive domains such as healthcare remains a critical challenge. Homomorphic Encryption (HE) offers a promising approach by enabling computations directly on encrypted data, but the diversity of available schemes requires careful evaluation before practical adoption. This work conducts a comparative study of six representative HE schemes: BGV, TFHE, Paillier, RSA without padding, BFV, and CKKS. It is adopted a five-step strategy, encompassing preprocessing, cryptographic setup, encryption, homomorphic execution, and decryption, applied to a healthcare dataset. Overall, the comparative analysis underscores that no single scheme is universally optimal. The choice of an HE scheme must be guided by the nature of the required operations, acceptable precision levels, and computational constraints of the target healthcare scenario. Full article

Supervisory Control and Data Acquisition (SCADA) systems play a critical role in industrial processes by providing real-time monitoring and control of equipment across large-scale, distributed operations. In the context of cyber security, Intrusion Detection Systems (IDSs) help protect SCADA systems by monitoring for unauthorized access, malicious activity, and policy violations, providing a layer of defense against potential intrusions. Given the critical role of SCADA systems and the increasing cyber risks, this paper highlights the importance of transitioning from traditional signature-based IDS to advanced AI-driven methods. Particularly, this study tackles the issue of intrusion detection in SCADA systems, which are critical yet vulnerable parts of industrial control systems. Traditional Intrusion Detection Systems (IDSs) often fall short in SCADA environments due to data scarcity, class imbalance, and the need for specialized anomaly detection suited to industrial protocols like DNP3. By integrating GANs, this study mitigates these limitations by generating synthetic data, enhancing classification accuracy and robustness in detecting cyber threats targeting SCADA systems. Remarkably, the proposed GAN-based IDS achieves an outstanding accuracy of 99.136%, paired with impressive detection speed, meeting the crucial need for real-time threat identification in industrial contexts. Beyond these empirical advancements, this paper suggests future exploration of explainable AI techniques to improve the interpretability of IDS models tailored to SCADA environments. Additionally, it encourages collaboration between academia and industry to develop extensive datasets that accurately reflect SCADA network traffic. Full article

Accurate malware family classification from dynamic sandbox reports continues to be a fundamental cybersecurity challenge. Most prior works depend on random splits that tend to overestimate accuracy, whereas deployment requires robustness under temporal drift as well as changing behaviors. We present a leakage-aware pipeline that transforms CAPEv2 sandbox JSON reports into structured visual heatmaps and evaluate models under stratified and chronological splits. The pipeline rigorously flattens behavioral keys, builds normalized representations, and benchmarks Random Forest, MLP, CNN64, HybridNet, and a modern ResNeXt-50 backbone. On the Avast–CTU CAPEv2 dataset containing ten malware families, Random Forest achieves nearly state-of-the-art accuracy (97.2% accuracy, 0.993 AUC) with high efficiency on CPUs, making it attractive for triage. ResNeXt-50 achieves the best overall performance (98.4% accuracy, 0.998 AUC) and provides visual interpretability via Grad-CAM, enabling analysts to verify predictions. We further quantify efficiency trade-offs (inference throughput and GPU memory) and report ablation studies on vocabulary size and keyset choices. These results affirm that though ensemble methods are still robust, heatmap-based CNNs provide better accuracy, interpretability, and robustness against drift. Full article

Large language models (LLMs) have become essential in various use cases, such as code generation, reasoning, or translation. Applications vary from language understanding to decision making. Despite this rapid evolution, significant concerns appear regarding the security of these models and the vulnerabilities they present. In this research, we present an overview of the common LLM models, and their design components and architectures. Moreover, we present their domains of applications. Following that, we present the main security concerns associated with LLMs as defined in different security referentials and standards such as OWASP, MITRE, and NIST. Moreover, we present prior research that focuses on the security concerns in LLMs. Finally, we conduct a comparative study of the performance and robustness of several models against various attack scenarios. We highlight the behavior differences of these models, which prove the importance of giving more attention for the security aspect when using or designing LLMs. Full article

Electronic health record (EHR) data breaches create severe concerns for patients’ privacy, safety, and risk of loss for healthcare entities responsible for managing patient health records. EHR systems collect a vast amount of user-sensitive data, requiring integration, implementation, and the application of essential security principles, controls, and strategies to safeguard against persistent adversary attacks. This research is an exploratory study into current integrated EHR cybersecurity attacks using United States Health Insurance Portability and Accountability Act (HIPAA) privacy and security breach reported data. This work investigates if current EHR implementation lacks the requisite security control to prevent a cyber breach and protect user privacy. We conduct descriptive and trend analysis to describe, demonstrate, summarize data points, and predict direction based on current and historical data by covered entity, type of breaches, and point of breaches (examine, attack methods, patterns, and location of breach information). An Autoregressive Integrated Moving Average (ARIMA) model is used to provide a detailed analysis of the data demonstrating breaches caused by hacking and IT incidents show a significant trend (coefficient 0.84, p-value < 2.2 × 10⁻¹⁶ ***). The findings reveal a consistent rise in breaches—particularly from hacking and IT incidents—disproportionately affecting healthcare providers. The study highlights that EHR data breaches often follow recurring patterns, indicating common vulnerabilities, and underlines the need for prioritized, data-driven security investments. These findings validate the hypothesis that most EHR cybersecurity attacks are concentrated using similar attack methodologies and face common vulnerabilities and demonstrate the value of targeted mitigation strategies to strengthen healthcare cybersecurity. The findings highlight the urgent need for healthcare organizations and policymakers to prioritize targeted, data-driven security investments and enforce stricter controls to protect EHR systems from increasingly frequent and predictable cyberattacks. Full article

Ransomware is a fast-evolving form of cybercrime in which a ransom is demanded to restore access to a victim’s encrypted files. The business model of the criminals relies on victims being willing to pay the ransom demand. In this paper we use insights from behavioural economics to see how the framing of a ransom demand may influence willingness to pay the ransom. We then report the results of an experiment in which subjects ($n=93$) were shown eight different ransom demand splash screens, based on well-known examples of ransomware. The subjects were asked to rate and rank the ransom demands on six criteria that included willingness to pay and willingness to trust the criminals. This allows a within-subject comparison of different ransom demand frames. We find that trust is the main determinant of willingness to pay. We also find that positive framing is likely to increase willingness to pay compared to negative framing. Full article

Modern network intrusion detection systems (NIDSs) rely on complex deep learning models. However, the “black-box” nature of deep learning methods hinders transparency and trust in predictions, preventing the timely implementation of countermeasures against intrusion attacks. Although explainable AI (XAI) methods provide a solution to this problem by providing insights into the reasons behind the predictions, the explanations provided by the majority of them cannot be trivially converted into actionable countermeasures. In this work, we propose a novel tabular diffusion-based counterfactual explanation framework that can provide actionable explanations for network intrusion attacks. We evaluated our proposed algorithm against several other publicly available counterfactual explanation algorithms on three modern network intrusion datasets. To the best of our knowledge, this work also presents the first comparative analysis of the existing counterfactual explanation algorithms within the context of NIDSs. Our proposed method provides plausible and diverse counterfactual explanations more efficiently than the tested counterfactual algorithms, reducing the time required to generate explanations. We also demonstrate how the proposed method can provide actionable explanations for NIDSs by summarizing them into a set of actionable global counterfactual rules, which effectively filter out incoming attack queries. This ability of the rules is crucial for efficient intrusion detection and defense mechanisms. We have made our implementation publicly available on GitHub. Full article

This study presents a novel and interpretable, deployment-ready framework for predicting cybersecurity incidents through item-level behavioral, cognitive, and dispositional indicators. Based on survey data from 453 professionals across countries and sectors, we developed 72 logistic regression models across twelve self-reported incident outcomes—from account lockouts to full device compromise—within six analytically stratified layers (Education, IT, Hungary, UK, USA, and full sample). Drawing on five theoretically grounded domains—cybersecurity behavior, digital literacy, personality traits, risk rationalization, and work–life boundary blurring—our models preserve the full granularity of individual responses rather than relying on aggregated scores, offering rare transparency and interpretability for real-world applications. This approach reveals how stratified models, despite smaller sample sizes, often outperform general ones by capturing behavioral and contextual specificity. Moderately prevalent outcomes (e.g., suspicious logins, multiple mild incidents) yielded the most robust predictions, while rare-event models, though occasionally high in “Area Under the Receiver Operating Characteristic Curve” (AUC), suffered from overfitting under cross-validation. Beyond model construction, we introduce threshold calibration and fairness-aware integration of demographic variables, enabling ethically grounded deployment in diverse organizational contexts. By unifying theoretical depth, item-level precision, multilayer stratification, and operational guidance, this study establishes a scalable blueprint for human-centric cybersecurity. It bridges the gap between behavioral science and risk analytics, offering the tools and insights needed to detect, predict, and mitigate user-level threats in increasingly blurred digital environments. Full article