Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020073

Authors: Safia El Moutaouakil John Lindström Karl Andersson

As large scale digitization continues to reform business processes, one critical challenge organizations are currently facing is managing the staggering amount of data flowing. Further, with large datasets comes the added complexity of insuring a cyber secure environment and shielding the information security management system (ISMS) from undesirable manipulations. Today’s drastic rise of cyberattacks urges the need for effective security frameworks to guard against unauthorized access and malicious acts impeding business operations. The latter of which compelled organizations to adopt holistic information security approaches, commonly implemented via ISMS frameworks. Further, to maintain an effective ISMS, ongoing monitoring and measurements are highly required. Considering the aforementioned points, this paper explores how organizations measure the effectiveness of their ISMS focusing on key performance indicators, metrics, and foundational components involved in information security management by categorizing metrics into governance, risk, and incident response as well as determining the maturity level based on ISO alignment, the presence, specificity and automation of KPIs. Based on empirical interviews with eight diverse organizations, the research findings reveal a wide range of maturity among organizations, from those lacking clear defined KPIs to those with sophisticated multi-layered systems. While special attention is paid to incident-response management, companies with a strong ISMS stand out because they use automated and proactive metrics for strategic reporting, whereas companies with a weaker ISMS often do not have organized KPIs and depend on random manual audits. Based on these results, the present work suggests an analysis framework for evaluating ISMS effectiveness. While previous studies have struggled to define clear ISMS measurement practices, this paper aims to provide insights on measurements by identifying the core building blocks of ISMS and revealing how they are evaluated to drive continual ISMS improvement.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020072

Authors: Ondrej Kainz Sebastián Petro Miroslav Michalko Miroslav Murin Ervín Šimko

Tor is an anonymization network that enables access to hidden services and protects user identity through layered encryption. While its core technology offers strong privacy, users can still be exposed through indirect attack methods or configuration mistakes. This research not only explores de-anonymization techniques but also provides a practical guide for constructing a fully functional experimental Tor environment using virtual machines. The custom-built testbed allows for safe simulation of attacks without impacting the public Tor network. Within this environment, three key information-gathering approaches were evaluated: (1) malware-based reverse shells that establish external communication, (2) malicious PDF and Office files used to trigger outbound connections, and (3) analysis of service misconfigurations that may reveal the IP address of hidden services. The results confirm that although the Tor network itself is resilient, user behavior, improper configurations, and insecure content handling can lead to significant privacy risks. By combining practical environment setup with real-world attack scenarios, this paper serves both as a reference for building experimental Tor networks and as a security-oriented analysis of known de-anonymization vectors. The findings emphasize the critical need for user awareness and precise configuration in privacy-focused technologies.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020071

Authors: Jesse Van Griensven Thé Victor Oliveira Santos Bahram Gharabaghi

The literature indicates that the qubit requirements for factoring RSA-2048 remain on the order of 1 million, under commonly assumed architectures and error-correction models, leaving a substantial gap between current resource estimates and near-term practical feasibility. Reducing this requirement to the low-thousand-qubit regime therefore remains an important open research objective. This work proposes a hybrid classical–quantum algorithm that uses a classical modular exponentiation subroutine with a Quantum Number Theoretic Transform (QNTT) circuit to increase the speed and reduce the required quantum resources relative to Shor’s algorithm for integer factorization, which underpins cryptographic systems like RSA and ECC. We evaluate multiple coprime numbers, the result of multiplication of two primes, in both simulation and real quantum hardware, using IBM’s reference Shor implementation as the baseline. Because Shor and proposed Jesse–Victor–Gharabaghi (JVG) use different register sizes for the same coprime N, the reported gate/depth reductions should be interpreted as end-to-end quantum-resource budgets for factoring the same N, rather than a per-qubit or transform-only efficiency claim. In simulation, the JVG algorithm achieved substantial practical reductions in computational resources, decreasing runtime from 174.1 s to 5.4 s, memory usage from 12.5 GB to 0.27 GB, and quantum gate counts by approximately 99%. On quantum hardware, JVG reduced the required runtime from 67.8 s to 2 s, and the quantum gate counts by over 98%. We showed that the proposed algorithm can address the relevant RSA-1024 case scenario, establishing that this method can provide validation for large-scale situations. Furthermore, extrapolation to RSA-2048 indicates that the JVG algorithm significantly outperforms Shor’s approach, requiring a projected quantum runtime of 29 h for ten thousand runs for factorization under identical scaling assumptions. Overall, these results support JVG as a more hardware-compatible and robust noise-tolerant substitute for Shor’s framework, offering a viable research direction toward practical quantum integer factorization on near-term Noisy Intermediate-Scale Quantum (NISQ) devices.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020070

Authors: Mostafa Moallim Seokhee Lee Ibrahim Alzahrani Faisal Abdulaziz Alfouzan Kyounggon Kim

Ransomware operations have evolved from isolated malware incidents into organized ransomware-as-a-service (RaaS) ecosystems that employ coordinated tactics, techniques, and procedures and increasingly rely on automation and artificial intelligence to scale intrusions. However, most assessments remain artifact-centric, focusing on malware signatures or aggregate victim counts, which provide limited visibility into differences in actor-level behavior and operational capability. This study introduces the AI-Amplification Indicator (AIAI), an interpretable actor-level scoring framework that transforms publicly observable leak-site disclosures and verifiable open-source evidence into quantitative behavioral profiles. Using continuous monitoring of dark web leak portals, we construct a standardized dataset of ransomware disclosures for 2025 with temporal, geographic, and sector metadata. AIAI measures four complementary dimensions: GenAI-enabled social engineering, operational tempo and orchestration, targeting breadth and diversification, and temporal scaling dynamics. Indicators are computed for all observed actors, while comparative profiling focuses on the ten most active actors to ensure stable behavioral estimation. The analysis reveals substantial heterogeneity in posting cadence, targeting strategies, and scaling dynamics, as well as limited but measurable evidence of automated or AI-assisted deception. These differences are not captured by victim counts alone. The proposed framework provides a transparent and reproducible approach for actor-level ransomware intelligence, enabling systematic comparison of operational styles and supporting data-driven defensive prioritization.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020069

Authors: Sebastien Kanj Gorka Vila Josep Pegueroles

Anti-analysis techniques, also known as evasive techniques, enable Windows malware to detect and evade dynamic inspection environments, undermining the effectiveness of virtual-machine and sandbox-based inspection. Despite extensive prior research, no unified classification has been paired with a large-scale empirical evaluation of static detection capabilities for these behaviors. This paper addresses this gap by presenting a comprehensive classification and detection framework. We consolidate 94 anti-analysis techniques from academic, community, and threat-intelligence sources into nine mechanistic categories and derive corresponding YARA rules for static identification. In total, 82 YARA signatures were authored or refined and evaluated on 459,508 malware and 92,508 goodware samples. After iterative refinement using precision thresholds, 42 rules achieved high accuracy (≥75%), 16 showed moderate precision (50–75%), and 24 were discarded due to unreliability. The results indicate strong static detectability for firmware- and BIOS-based checks, but limited precision for timing-based evasions, which frequently overlap with benign behavior. Although YARA provides broad coverage of observable artifacts, its static nature limits detection under obfuscation or runtime mutation; our measurements therefore represent conservative estimates of technique prevalence. All validated rules are released in an open-source repository to support reproducibility, improve incident-response workflows, and strengthen prevention and mitigation against real-world threats. Future work will explore hybrid validation, container-evasion extensions, and forensic attribution based on signature co-occurrence patterns.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020068

Authors: Javeriah Saleem Rafiqul Islam Irfan Altas Md Zahidul Islam

With the widespread adoption of anonymity networks such as Tor, I2P, and JonDonym, reliably classifying darknet traffic remains challenging due to feature redundancy and severe class imbalance in encrypted flows. Existing approaches often rely on static feature-selection strategies and generic oversampling methods, which limit robustness and may distort traffic semantics. This study proposes an adaptive classification framework integrating Adaptive Weighted Feature Aggregation (AWFA) for reliability-aware feature selection and Traffic-Aware SMOTE (TA-SMOTE) for semantically constrained perturbations of packet-size and timing features while preserving flow-level structure. The framework is evaluated on a two-layer hierarchy comprising browser-level (L1) and application-level (L2) classification. At the L2, the proposed AWFA and TA-SMOTE pipeline attains a macro-F1 score of 73.81%, significantly exceeding PCA-based reduction and traditional RF-based selection with SMOTE. At the browser level (L1), macro-F1 rises from 91.58% to 96.09% while reducing the feature space from 84 to 40 attributes, highlighting both performance improvements and structural efficiency gains. Additional semantic validation confirms that the balancing process preserves the statistical and structural characteristics of genuine darknet traffic. These results indicate that reliability-aware feature aggregation and traffic-aware balancing provide a practical, trustworthy approach to modern darknet traffic classification.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020067

Authors: Ivana Ogrizek Biškupić Mislav Balković Ivan Bencarić

Asset discovery is a fundamental but inherently flawed capability in cybersecurity, as current methodologies frequently confuse preliminary discovery observations with definitive asset inventories, thereby obscuring uncertainty, restricting auditability, and eroding trust in security-critical decision-making. This work addresses the issue of inconsistent asset identification in dynamic IT settings by presenting an evidence-based architectural paradigm that clearly distinguishes observation, identity resolution, and inventory representation. The principal research aim is to develop and authenticate an architecture that maintains discovery evidence, facilitates deterministic, verifiable identity resolution, and supports interpretable inventory derivation. In contrast to state-centric and model-driven methodologies, the proposed architecture enhances (i) traceability through the preservation of time-scoped, method-attributed observations, (ii) identity continuity amidst dynamic conditions such as IP reassignment and infrastructure modifications, and (iii) auditability by facilitating the reconstruction of inventory claims from foundational evidence. An examined proof-of-concept implementation in a controlled yet realistic network environment shows superior identity stability, greater discovery traceability, and retention of historical context relative to traditional inventory models. The results validate the practicality and architectural benefits of the strategy; nevertheless, the evaluation is constrained by a lack of formalised performance indicators and adversarial robustness, which are recognised as priorities for further investigation.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020066

Authors: Joakim Kävrestad Erik Bergström Rebecca Gunnarsson Ali Mazeh Linus Stenlund

Raising cybersecurity awareness (CSA) of employees is crucial for all modern organisations. To meet the organisational need for CSA, activities aimed at increasing CSA have been the focus of both industry and research in the past. There are, subsequently, a plethora of CSA activities for organisations to choose from. Nevertheless, research consistently reports that organisations struggle to raise CSA to an appropriate level, and a core issue lies in their ability to select CSA activities and effectively adopt them. This paper used semi-structured interviews with practitioners working on CSA adoption in public-sector organisations to identify what practitioners perceive as success factors. The interviews were analysed through a socio-technical lens and resulted in a taxonomy that groups success factors for CSA adoption in the three socio-technical dimensions: organisational, user-centric, and technical. The taxonomy outlines ten success factors and demonstrates how the participants see success of CSA activities as not only dependent on technical factors but also, and perhaps even more important, user-adaptability and organisational readiness. The results were validated in a workshop with CSA experts across Europe, who highlighted the practical usefulness of the taxonomy as both a map of potential challenges and a teaching tool for educating new CSA practitioners.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020065

Authors: Zachary Larkin Chuck Easttom

LoRaWAN’s role in global maritime logistics has allowed for efficient monitoring of ships and cargo, but it also comes with critical cybersecurity vulnerabilities. Experimental validation of three attack vectors—replay attacks, narrowband jamming and metadata inference—is conducted using a reproducible digital-twin LoRaWAN dataset reflecting Rotterdam port-like operational patterns (N = 20,000 baseline transmissions). Using controlled simulations and Kolmogorov–Smirnov statistical analysis, we show that: (1) replay attacks are feasible under Activation by Personalization (ABP) configurations lacking enforced frame-counter validation and exhibit no univariate separation from legitimate traffic under Kolmogorov–Smirnov analysis (p > 0.46 for all evaluated radio features); (2) narrowband jamming leads to significant SNR degradation (p = 2.36 × 10−5) on targeted channels without inducing broad distributional anomalies across other radio features; and (3) metadata-only analysis supports elevated metadata-based re-identification susceptibility (median Rd=0.834), indicating high predictability under passive observation which can reveal operationally relevant signals even when AES-128 is employed. Our proposed layered mitigation framework consists of mandatory Over-the-Air Activation (OTAA), cryptographic key rotation, channel diversity incorporating Adaptive Data Rate (ADR), gateway hardening, and protocol-level enforcement considerations, customized for maritime LPWAN scenarios. We provide experiment-backed evidence and actionable recommendations to connect academic LPWAN security research to that of industrial maritime practice.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020064

Authors: Bashaer H. Alrashid Mazen Alwadi Qasem Abu Al-Haija

Detecting denial of service traffic remains challenging when malicious sessions exhibit flow characteristics that closely resemble benign network behavior, particularly in low-rate attack settings. This study examines whether autoencoder-based feature compression can improve flow-based intrusion detection while maintaining a deployment-oriented design. We develop a lightweight pipeline that learns a low-dimensional latent representation of tabular flow features using an autoencoder and performs classification using Random Forest, LightGBM, and a radial basis function neural network. Using the CICIDS 2017 dataset, the best performing configurations achieve 99.43 percent accuracy with autoencoder plus Random Forest and 99.39 percent with autoencoder plus LightGBM, while autoencoder plus radial basis function neural network achieves 98.27 percent, with consistently strong precision, recall, and F1-score. The findings support practice by showing that high detection performance can be achieved using compact learned features that reduce input complexity for downstream models, which is beneficial for operational monitoring environments. The study advances knowledge by providing a reproducible evaluation of representation learning as a feature compression step for tabular intrusion detection, and by linking model performance to measurable computational considerations relevant to real-world deployment.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020062

Authors: Kudakwashe Maguraushe Adéle Da Veiga Nico Martins

The protection of personal information has become a defining challenge for higher education institutions, particularly in developing contexts where regulatory frameworks are often strong on paper but weak in practice. This study investigates student perceptions of privacy within Zimbabwe’s higher education system, focusing on three constructs: awareness, expectations, and confidence across nine core privacy components derived from international principles (FIPPs, OECD, GDPR) and the Zimbabwe Data Protection Act (ZDPA). Using survey data from 287 students across diverse programmes and modes of study, descriptive and comparative analyses reveal a striking pattern: students demonstrate high awareness and very strong expectations, yet their confidence in institutional compliance remains significantly lower. The largest deficits were found in privacy education, consent, and notice/openness, suggesting that institutions are perceived as technically competent in data handling but weak in transparency, accountability, and student engagement. The research extends privacy perception models by considering the discrepancy between the students’ expectations and the institutional trust. It also encourages universities to go beyond mere compliance by implementing concrete measures such as privacy training, clear consent, and frequent data audits. The findings contribute to global debates on privacy by offering evidence from the Global South, showing that the key challenge is not student ignorance but institutional trustworthiness. Bridging this awareness-confidence gap is essential for building a privacy-conscious academic environment.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020063

Authors: Ayan Joshi Sabur Baidya

The convergence of Large Language Models (LLMs) and Internet of Things (IoT) systems has created a new class of intelligent applications across healthcare, industrial automation, smart cities, and connected homes. However, this integration introduces a complex and largely underexplored security landscape. LLMs deployed in IoT contexts face threats spanning both the AI and embedded systems domains, including prompt injection through sensor-driven inputs, model extraction from edge devices, data poisoning of IoT data streams, and privacy leakage through LLM-generated responses grounded in personal data. Simultaneously, LLMs are proving to be powerful tools for IoT security, with LLM-based intrusion detection systems achieving 95–99% accuracy on standard IoT datasets and LLM-driven threat intelligence outperforming traditional machine learning by significant margins. We systematically review 88 papers from IEEE, ACM, MDPI, and arXiv (2020–2025), providing: (1) a structured taxonomy of security threats targeting LLM-IoT systems, (2) a review of LLMs as security enablers for IoT, (3) an evaluation of privacy-preserving architectures including federated learning, differential privacy, homomorphic encryption, and trusted execution environments, (4) domain-specific security analysis across healthcare, industrial, smart home, smart grid, and vehicular IoT, and (5) a literature-based comparative analysis of LLM-based security systems. A central finding is the accuracy–efficiency–privacy trilemma: the model compression techniques needed to deploy LLMs on resource-constrained IoT devices can degrade security and even introduce new vulnerabilities. Our analysis provides researchers and practitioners with a structured understanding of both the risks and opportunities at the frontier of LLM-IoT security.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020061

Authors: Zlatan Morić Mislav Balković Donis Isić

Ensuring ongoing endpoint security compliance across diverse, hybrid IT infrastructures poses a continual operational challenge, especially in enterprise Linux systems, where manual verification methods are difficult to scale and prone to inconsistency. This study offers an empirical assessment of an automated methodology for monitoring endpoint compliance and security, applied within a mid-sized IT consulting firm. The suggested methodology incorporates automated compliance scanning, malware detection, endpoint verification, and remediation utilising open-source technology, all orchestrated through centralised automation and reporting systems. The evaluation follows an observational comparative methodology, contrasting manual compliance operations with automated enforcement across 60 Linux endpoints (30 Fedora and 30 Ubuntu systems) over two equivalent eight-week operational periods. The analysis emphasises operational parameters such as administrative workload, configuration uniformity, and audit preparedness. The findings demonstrate that automation reduced manual compliance-related tasks by roughly 70–80%, enhanced configuration consistency across endpoints through continuous enforcement, and enabled automated production of audit-ready compliance reports. The findings provide concrete evidence that operational security automation can markedly improve endpoint compliance management in business Linux and hybrid IT environments.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020060

Authors: Iman Almomani Shahed Mehdawi Yazeed Allabadi

Enforcing cybersecurity governance is no longer a choice. It has become essential to protect nations’ safety and economy. In addition to the well-known cybersecurity standards that provide guidelines for implementing security controls, many countries have introduced national cybersecurity frameworks to meet their requirements and needs. These countries also provide assessment tools to check that organizations comply with these frameworks. This research emphasizes the importance of efficient cybersecurity governance practices, highlighting the Jordanian National Cyber Security Framework (JNCSF) that was announced in 2019. We have chosen this framework because, since its launch, it has not been presented or analyzed thoroughly by any of the existing studies. Moreover, the National Cyber Security Center (NCSC) in Jordan has not announced any public self-assessment tools for organizations to evaluate their compliance with the JNCSF. Therefore, the absence of a structured and publicly available self-assessment mechanism for the JNCSF creates a challenge for organizations in objectively measuring their cybersecurity governance readiness. Accordingly, the main contributions of this paper are to provide a detailed breakdown and discussion of the JNCSF, which supports organizations in Jordan and also shares the JNCSF philosophy regionally and internationally. Additionally, this study introduces an efficient self-assessment tool (named JCCT) that can be used both offline and online. JCCT accurately measures the institution’s cybersecurity compliance against JNCSF and international standards (ISO and NIST), reflecting its current state and the potential impact on its risk profile. Moreover, this paper proposes new compliance score equations based on a comprehensive mathematical model that generally benefits any governance system. The JCCT tool offers rich, interactive, customized dashboards and automatically generates reports with recommended action plans for the organization.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020059

Authors: Habiba Hadri Mourad Ouadou Khalid Minaoui

Vehicular Ad Hoc Networks (VANETs) have become the foundation for the implementation of intelligent transportation systems and new vistas for road safety and traffic efficiency. However, these networks are still susceptible to Sybil attacks, a form of attack that requires malicious entities to create a series of fake identities in order to have an out-of-proportion influence. The present paper puts forth a new Sybil attack detection framework that combines Verifiable Delay Functions (VDFs) in synergistic cooperation with a hierarchical fog-cloud computing structure. Our method does not rely on any additional properties of VDFs but uses them to prove uniqueness computationally, deploying purposefully placed fog nodes for effective localized detection. We mathematically formulate a multi-layered detection algorithm that processes interactions between vehicles on two fog (and cloud) layers to produce suspicion scores using spatiotemporal consistency and VDF challenge-response patterns. Security analysis proves the system’s ability to resist a range of Sybil attack variants with performance evaluation outperforming at detection above 97.8% and false positives below 2.3%. The incorporation of machine learning techniques also extends detection capabilities, and our hybrid VDF-ML method proves better adaptation to the changing attack patterns. Details of implementation and detailed simulations in various traffic situations prove the feasibility and efficiency of our proposed solution to set a new level playing ground for secure VANET communications.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020058

Authors: Gabryella Barnes Ahmad Ghafarian

Cybercriminals use advanced techniques to launch an attack against organizations, which causes disruption of normal business activities. The traditional signature-based malware detection methods are not effective in the detection of ransomware. Therefore, the use of machine learning and deep learning for malware detection is becoming a major area of research. There are two types of malware detection strategies, namely, static and dynamic. This work investigates the task-dependent effectiveness of static PE header-based detection by systematically evaluating three binary classification problems of increasing difficulty: ransomware vs. benign, malware vs. benign, and ransomware vs. other malware families. An end-to-end machine learning pipeline is implemented, including dataset-specific preprocessing, class imbalance handling, model training, and evaluation using imbalance-aware metrics. Random Forest, Support Vector Machine, and XGBoost models are assessed across all tasks, with SHAP used to analyze feature contribution and explain performance degradation. The experimental results demonstrate that tree-based ensemble models, particularly XGBoost, achieve strong detection performance when class boundaries are structurally distinct, but they struggle when ransomware must be distinguished from structurally similar malware. The results indicate that static analysis based on PE header features can be a viable approach for pre-execution triage, but they exhibit clear limitations for fine-grained ransomware discrimination.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020057

Authors: Zlatan Morić Vedran Dakić Ivana Ogrizek Biškupić

The escalating scale and complexity of cybercrime necessitate standardized digital forensic protocols to ensure the integrity and admissibility of digital evidence. This study empirically assesses the use of ISO/IEC 27037 and ISO/IEC 27041 through three real-world digital forensic case studies conducted in organizational settings. A multi-case methodology was employed, encompassing a multinational corporate criminal investigation, an internal employee misbehaviour probe, and an examination into mobile- and cloud-based data leaks. The effect of synchronized standard implementation was evaluated using audit-based and quantitative indicators that measure forensic process quality as a system attribute. The findings demonstrate that the systematic implementation of ISO/IEC 27037 and ISO/IEC 27041 improves investigative traceability, documentation quality, and evidentiary robustness. In the worldwide case study, documentation completeness increased by 18%, and all digital evidence was deemed admissible in judicial proceedings, surpassing the institutional baseline admissibility rate of 82%. In other instances, evidence gathered within the same framework was acknowledged in organizational or disciplinary review processes, resulting in similar enhancements in documentation quality and procedural consistency, notwithstanding technological and organizational limitations. The paper develops and empirically substantiates an integrated procedural validation model that connects evidence-handling practices with method and instrument validation. The results indicate that the synchronized implementation of ISO/IEC forensic standards improves the transparency, dependability, and auditability of digital forensic investigations.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020056

Authors: Faiz Alam Mohammed Mubeen Mifthak Sahil Bhalchandra Purohit Md Shadab Gregory T. Byrd Khaled Harfoush

Virtualization is the building block of modern cloud computing infrastructure. However, it remains vulnerable to a range of security threats, including malicious co-located tenants, hypervisor vulnerabilities, and side-channel attacks. These threats are generally mitigated by developing and deploying advanced and complex security solutions that incur significant performance overhead. Prior work on virtual machines (VMs) and containers has mainly evaluated basic security solutions, such as firewalls, using narrow performance metrics and synthetic models within limited evaluation frameworks. These studies often overlook advanced security modules in both user and kernel space, lack the flexibility to incorporate emerging features, and fail to capture detailed system-level impacts. We address these gaps with HyperShield, an open-source framework for unified security evaluation across VMs and containers that mimics a realistic cloud infrastructure. HyperShield supports advanced security modules in both user and kernel space, providing rich system-level performance metrics for comprehensive evaluation. Our performance evaluation shows that containers generally outperform VMs due to their lower virtualization overhead, achieving a throughput of 9.38 Gb/s compared to 1.98 Gb/s for VMs for our benchmarks. However, VMs’ performance is comparable for kernel-space deployments, as Docker uses the shared kernel space of the Docker bridge, which can result in packet congestion. In latency-sensitive workloads, VM access latency of 14.91 ms is comparable to Docker’s 12.86 ms. In storage benchmarks, FIO, however, VMs outperform Docker due to the overhead of Docker’s layered, copy-on-write file system, whereas VMs leverage optimized virtual block devices with near-native I/O performance. These results highlight performance dependencies on benchmark choice, trade-offs in deploying security workloads between user and kernel space, and the choice of containers and virtual machines as virtualization environments. Therefore, HyperShield provides a comprehensive evaluation toolkit for exploring an optimal security-module deployment strategy.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020055

Authors: Prashanth Krishnamurthy Ali Rasteh Ramesh Karri Farshad Khorrami

Embedded devices in modern power systems offer increased connectivity and remote reprogrammability/reconfigurability. These features along with interconnections between Information Technology (IT) and Operational Technology (OT) networks enable greater agility, reduced operator workload, and enhanced power system performance and capabilities, as well as expanding the cyber-attack surface. This increased cyber-attack surface, as well as increasingly complex, diverse, and potentially untrustworthy software/hardware supply chains, increases the need for robust real-time monitoring in power systems, and more generally in cyber–physical systems (CPS). We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed framework enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into a time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate the efficacy of our methodology on a hardware in the loop (HITL) testbed under several attack scenarios. The HITL testbed includes multiple physical power system devices (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units—PMUs, relays, Phasor Data Concentrators—PDCs), all interfaced to a dynamic power system simulator.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020054

Authors: Jorge Álvaro González Ana María Saiz García Victor Monzon Baeza

In increasingly interconnected tactical environments, cybersecurity, trust, and interoperability must evolve in tandem. Federated Coalition Networks (FCNs) enable multinational cooperation while preserving national sovereignty; however, the secure management of identities, policies, and configurations across coalition domains remains a critical challenge, particularly under adversarial and resource-constrained conditions. This paper proposes a blockchain-enabled management framework aligned with the defense-in-depth paradigm, focusing on management-plane functions such as policy enforcement, public key infrastructure (PKI) management, and auditable governance, rather than time-critical tactical communications. The solution relies on a permissioned blockchain architecture with Byzantine Fault Tolerant consensus, avoiding energy-intensive Proof-of-Work mechanisms and supporting operation under Disconnected, Intermittent, and Low-bandwidth (DIL) conditions. A coalition-level trust-and-governance model is introduced to prevent unilateral control while preserving national autonomy. A realistic use case and a proof-of-concept implementation demonstrate the feasibility of the approach, showing bounded latency, limited energy overhead, and sufficient throughput for FCN management. These results indicate that appropriately tailored blockchain solutions can effectively enhance resilience, trust, and compliance in federated defense networks.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020053

Authors: Francisco Conceição Manuel Rocha Fernando Almeida

Small-and-medium-sized enterprises (SMEs) increasingly depend on business partnerships to access markets and scale operations, yet they often face trust barriers during contract formation due to the complexity of the verification of their cybersecurity posture and compliance status by their partners. This problem is intensified by rising regulatory expectations, notably the EU Cyber Resilience Act (CRA), which many SMEs struggle to interpret and operationalize under constraints of budget, skills, and fragmented responsibilities. This study adopts a Design Science Research approach to blueprint and evaluate a lightweight mapping framework that links commonly implemented security controls to CRA requirements and to widely recognized benchmarks (ISO/IEC 27001 and CIS). Grounded in Institutional Theory and Socio-Technical Systems Theory, the artefact translates regulatory obligations into actionable, evidence-backed controls and produces partner-facing outputs that support transparency in negotiations and service level agreements. The framework is iteratively co-created with a multidisciplinary expert community. Expected contributions include a practical mechanism for making cybersecurity maturity visible, accelerating partnership formation, and enabling sustainable interorganizational relationships while remaining feasible for resource-constrained SMEs.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020052

Authors: Martin Gilje Jaatun Mary Ann Lundteigen Christoph Thieme Lars Halvdan Flå Karin Bernsmed Roald Lygre Fredrik Gratte

The IEC 62443 standard defines that, based on risk assessment, different parts of an Industrial Automation and Control System (IACS) may have different security levels, and that parts with the same security level can be designated as separate zones. Furthermore, communication between different zones, both intra-IACS and inter-IACS, can be done via conduits. In this article, we argue that zones and particularly conduits can benefit from more detailed discussions of their architecture and implementation. Consequently, as novel contributions we (1) describe detailed principles for implementing conduits; (2) outline a process for connecting zones with potentially different Security Levels (SLs), expressed in the form of a flow chart; and (3) discuss challenges related to the application of zones and conduits in practice.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020051

Authors: Prasert Teppap Wirot Ponglangka Panudech Tipauksorn Prasert Luekhong

In the evolving cybersecurity landscape, detecting Thai-English code-mixed malicious scripts within high-trust domains such as governmental and academic portals presents a significant defensive challenge. While Transformer-based architectures excel in semantic parsing, they often exhibit ‘Structural Bias,’ misinterpreting the high-entropy syntax of benign legacy HyperText Markup Language (HTML) as malicious obfuscation due to inherent ‘Attention Deficit’ in token-limited models. To address this, we propose an Explainable AI (XAI)-Driven Hybrid Architecture grounded in a ‘Selective Integration’ strategy. Unlike traditional hybrid models, our framework mathematically formalizes the fusion process by synergizing context-aware WangChanBERTa embeddings with orthogonal structural statistics through Dempster-Shafer Theory and Conditional Mutual Information (CMI). The proposed model was validated on a high-fidelity corpus, achieving a state-of-the-art F1-score of 0.9908, significantly outperforming standalone Transformers, Random Forest, and unsupervised baselines. XAI diagnostics revealed a ‘Dual-Validation’ mechanism where structural features act as an epistemic anchor. This mechanism effectively triggers a ‘Semantic Veto’ to filter hallucinations caused by benign complexity, achieving a remarkably low False Positive Rate (FPR) of 0.0116. Our findings demonstrate that hybridization is most effective when engineered features provide mathematical orthogonality to semantic embeddings. This work offers a robust, theoretically grounded framework for securing critical digital infrastructures in low-resource linguistic environments.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020050

Authors: Sirapat Boonkrong Papitchaya Kaensawan

In this study, we evaluated the performance of the Advanced Encryption Standard (AES)-128, AES-256, and Blowfish algorithms on WearOS for messages ranging from 8 to 128 bytes, which are typical message sizes for contemporary smartwatch applications. Using a WearOS emulator, we measured encryption time, memory usage, central processing unit (CPU) utilization, and battery consumption across 16 messages sizes with 10 repetitions over each configuration. The AES-128 algorithm consistently outperformed the others with approximately 1.0 ms of encryption time at 128 bytes, less than 6 KB memory, and less than 39% peak CPU utilization. The AES-256 algorithm added 25–30% processing overhead and higher energy consumption with negligible extra memory cost. The Blowfish algorithm consumed approximately three times more memory and exhibited the highest battery consumption per operation. It also scales poorly due to its 64-bit block size and large key scheduling approach. In addition, all performance differences are highly statistically significant (p < 0.001). Given the widespread hardware AES acceleration on WearOS devices and memory constraints, AES-128 is recommended as the default symmetric encryption algorithm for confidentiality in smartwatch applications.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020049

Authors: José R. Rosas-Bustos Jesse Van Griensven Thé Roydon Andrew Fraser Nadeem Said Sebastian Ratto Valderrama Mark Pecen Alexander Truskovsky Andy Thanos

Continuous-variable quantum communication (CVQC) relies on finite-window estimation of phase space moments, making receiver decisions sensitive to finite measurement resolution, calibration uncertainty, and confidence-calibrated tolerances. This paper develops a receiver-centric threat modeling framework for structured (including adversarial) physical-layer disturbances under finite-sample inference. We introduce an operational taxonomy, reconnaissance, exploratory, and denial-of-service, defined by statistical visibility relative to acceptance regions rather than by assumed physical mechanisms. Using an effective estimator space Gaussian model r^′=Gr^+ξ with additive covariance N, we show how distinct mechanisms can be observationally equivalent within finite tolerances and we propose a protocol-agnostic scalar severity coordinate ΔE based on the covariance trace. We derive χ2-based missed-detection expressions and a soft detectability boundary scaling as 1/n, and we corroborate the predicted Pmiss(ν) behavior via Monte Carlo simulations across representative block sizes. The resulting framework clarifies the delimitation from conventional CV-QKD excess noise parameterization and provides a structured basis for monitoring-layer design and comparative threat-taxonomy mapping.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020048

Authors: Georg Goldenits Philip König Sebastian Raubitzek Andreas Ekelhart

Phishing websites pose a major cybersecurity threat, exploiting unsuspecting users and causing significant financial and organisational harm. Traditional machine learning approaches for phishing detection often require extensive feature engineering, continuous retraining, and costly infrastructure maintenance. At the same time, proprietary large language models (LLMs) have demonstrated strong performance in phishing-related classification tasks, but their operational costs and reliance on external providers limit their practical adoption in many business environments. This paper presents a detection pipeline for malicious websites and investigates the feasibility of Small Language Models (SLMs) using raw HTML code and URLs. A key advantage of these models is that they can be deployed on local infrastructure, providing organisations with greater control over data and operations. We systematically evaluate 15 commonly used SLMs, ranging from 1 billion to 70 billion parameters, benchmarking their classification accuracy, computational requirements, and cost-efficiency. Our results highlight the trade-offs between detection performance and resource consumption. While SLMs underperform compared to state-of-the-art proprietary LLMs, the gap is moderate: the best SLM achieves an F1-score of 0.893 (Llama3.3:70B), compared to 0.929 for GPT-5.2, indicating that open-source models can provide a viable and scalable alternative to external LLM services.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020047

Authors: Fray L. Becerra-Suarez Edwin Valencia-Castillo Ana G. Borrero-Ramírez Manuel G. Forero

Distributed denial-of-service (DDoS) attacks have become a critical threat to Internet of Things (IoT) infrastructures due to their high traffic dynamics, strong class imbalance, and strict resource constraints at the edge. This paper proposes ChebyKANRes, a lightweight intrusion detection model that combines Chebyshev polynomial expansions to parameterize learnable univariate transformations, a gate mechanism to modulate feature flow, and residual connections to stabilize optimization in deeper KAN-style stacks. Experiments were conducted on the CICIoT2023 dataset focusing on benign traffic and 12 DDoS subtypes, using a reproducible pipeline with stratified splitting, cross-validation (k = 5), and early stopping. The proposed model consistently improves multi-class performance (Accuracy: 0.9983) over an optimized MLP baseline (Accuracy: 0.9641), while maintaining a compact size suitable for edge deployment (≈123 k parameters; ~0.47 MB). Within CICIoT2023 and the evaluated split/training protocol, the proposed ChebyKANRes configuration shows improved imbalance-robust multiclass detection while maintaining a compact model size and comparable batch inference time.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020046

Authors: Dojin Ryu

Cognitive warfare is a hybrid threat that combines information manipulation with psychological influence, often amplified by digital platforms and synthetic media. Conventional cybersecurity tooling is optimized for technical intrusion and offers limited support for anticipating and responding to influence operations. This paper presents a conceptual framework that structures cognitive warfare threats with General Morphological Analysis (GMA) and links plausible configurations to indicator profiles and response playbooks. We first conduct a PRISMA-informed literature review (2018–2025) to derive a five-dimensional taxonomy (actor, tactic, medium, target, objective). We then apply cross-consistency assessment to remove implausible state-pair combinations and obtain a reduced library of internally consistent scenarios. To support analyst-guided triage, we outline an AI-enabled workflow that maps observable signals to taxonomy states, matches events to scenarios, and prioritizes responses via an auditable, policy-set risk score. Finally, we illustrate the framework on three publicly documented cases and show how each case maps to scenario vectors, indicators, and playbooks. No end-to-end system implementation or performance metrics are reported; the contribution is the structured scenario library and the traceable mapping from observations to response guidance.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020045

Authors: Sergey Davydenko Pavel Laptev Evgeny Kostyuchenko

Continuous authentication is a promising method for protecting computer systems in the event of compromise of primary authentication factors, such as passwords or tokens. Systems employing continuous authentication that rely on biometrics may not be restricted to a single biometric characteristic; rather, they can simultaneously utilize multiple characteristics and subsequently arrive at a conclusive decision based on their collective analysis outcomes. One of the significant challenges researchers encounter when investigating effective fusion in decision-making is the lack of data. At present, data generation primarily involves the creation of feature vectors or attack simulation. This paper introduces a method for directly generating distances derived from a Siamese neural network, utilizing the probability density function of an existing distribution. Through statistical analysis, we successfully generated 5000 samples that correspond to the initial distribution, which were then employed to discover the threshold values at which FAR and FRR were less than 1%. The methods developed can be further applied to identify the most efficient strategies for integrating the results of continuous authentication in systems that incorporate multiple biometric characteristics.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020044

Authors: Esti Rahmawati Agustina Kalamullah Ramli Ruki Harwahyu Teddy Surya Gunawan Muhammad Salman Andriani Adi Lestari Arif Rahman Hakim

Vehicular ad hoc networks (VANETs) require authentication systems that balance privacy, scalability, and post-quantum security. While lattice-based V-LDAA offers quantum resistance, it faces challenges in signature size, traceability, and integration. We propose post-quantum traceable direct anonymous attestation (PQ-TDAA), combining National Institute of Standards and Technology (NIST)-standard Dilithium2 and Falcon-512 signatures with adapted Beullens-style blind signatures and Fiat–Shamir simplified Schnorr proofs, reducing proof size by 69.2% (8 kB vs. V-LDAA’s 26 kB) and supporting European Telecommunications Standards Institute Technical Specification (ETSI TS) 102 941-compliant traceability through Road Side Unit (RSU)-assisted verification. Evaluated using SageMath, Python 3.11, and NS-3, PQ-TDAA-Falcon-512 achieves 8.1 ms and 49.7 ms end-to-end delays at 10 and 20 vehicles, respectively, with 64.7 Mbps goodput on congested 802.11p channels, showing promise for densities of ≤50 vehicles and advantages over Dilithium2. Real-world validation on ARM Cortex-A76 (Raspberry Pi 5, emulating automotive OBUs) yields sub-0.5 ms V2V cycles within 100 ms beacon intervals, supporting practical embedded deployment. Future work will extend PQ-TDAA to emerging 5G and NR-V2X settings, integrate more realistic mobility and channel models through coupled NS-3 and SUMO co-simulation, and investigate side-channel resistance for enhanced scalability and robustness in real deployments.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020042

Authors: Michael Logan Garrett Mahafujul Alam Michael Partridge Julie Heynssens

This work proposes a lightweight biometric key-binding scheme that adapts a PUF-style challenge–response mechanism to face geometry: a two-factor password and session nonce generate random challenge points, Gray-coded Euclidean distances to facial landmarks form responses, and a random key is bound by discarding selected positions so only a reduced subset, the nonce, and a key hash are stored. At authentication, a fresh response set is compared to the subset with a Hamming-distance tolerance, and bounded local search corrects residual errors; each successful session rotates the nonce and refreshes the ephemeral key. We frame this as a conceptual exploration of an interpretable, on-device, controlled-capture design niche—a per-session nonce-driven cancelable biometric key-binding mechanism—and we quantify the resulting security–usability trade-offs. Empirically, the scheme works under stable capture conditions with carefully tuned thresholds, and it is naturally suited to tightly controlled deployments (e.g., access kiosks) where it can also incorporate user-driven micro-gestures as an extra behavioral factor. While the construction is fragile under broader variability and leans on the second factor for security, it offers an alternative to existing mechanisms and a clear niche, and we present it as a conceptual exploration showing how CRP mechanisms can inform cancelable biometrics with per-session revocability.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020043

Authors: Antonio Goncalves Anacleto Correia

High-risk Artificial Intelligence (AI) systems deployed in cybersecurity and privacy-critical contexts must satisfy not only demanding performance targets but also stringent obligations for transparency, accountability, and human oversight under the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act). Existing approaches often treat these concerns in isolation as follows: Explainable Artificial Intelligence (XAI) methods are added ad hoc to machine learning pipelines, while governance and regulatory frameworks remain largely conceptual and weakly connected to the concrete artefacts produced in practice. This article proposes XAI-Compliance-by-Design, a modular framework that integrates XAI techniques, compliance-by-design principles and trustworthy Machine Learning Operations (MLOps) practices into a unified architecture for high-risk AI systems in cybersecurity and privacy domains. The framework follows a dual-flow design that couples an upstream technical pipeline (data, model, explanation, and monitoring) with a downstream governance pipeline (policy, oversight, audit, and decision-making), orchestrated by a Compliance-by-Design Engine and a technical–regulatory correspondence matrix aligned with the GDPR, the AI Act, and ISO/IEC 42001. The framework is instantiated and evaluated through an end-to-end, Python-based proof of concept using a synthetic, intrusion detection system (IDS)-inspired anomaly detection scenario with a Random Forest (RF) classifier, Shapley Additive exPlanations (SHAP) and Local Interpretable Model-agnostic Explanations (LIME), drift indicators, and tamper-evident evidence bundles and decision dossiers. The results show that, even in a modest, toy setting, the framework systematically produces verifiable artefacts that support auditability and accountability across the model lifecycle. By linking explanation reports, drift statistics and compliance logs to concrete regulatory provisions, the approach illustrates how organisations operating high-risk AI for cybersecurity and privacy can move from model-centric optimisation to evidence-centric governance. The article discusses how the proposed framework can be generalised to real-world high-risk AI applications, contributing to the operationalisation of European digital sovereignty in AI governance. This article does not introduce a new intrusion detection algorithm; instead, it proposes an evidence-centric governance pipeline that captures decision provenance and compliance artefacts so that decisions can be audited and justified against regulatory obligations.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020041

Authors: Kyriakos Stefanidis Vasilis Bekos Dimitris Karadimas

Trustworthy Identity and Access Management (IAM) is a foundational requirement for federated data trading platforms, yet existing solutions often rely on centralized Identity Providers (IdPs), lack cross-border interoperability, and offer limited support for user-friendly authorization management. These limitations hinder secure onboarding, fine-grained access control, and regulatory compliance, especially within European Union (EU) data spaces governed by the Electronic Identification, Authentication, and Trust Services (eIDAS) 2.0 framework. This work presents a comprehensive IAM framework designed for federated data trading environments, developed within the EU-funded PISTIS project. The framework is based on Keycloak IAM and offers three major capabilities: (i) a novel IAM architecture tailored to distributed data trading scenarios; (ii) full integration of eIDAS-compliant cross-border authentication and initial support for European Digital Identity (EUDI) Wallets; and (iii) a standalone, web-based Access Policy Editor (APE) that abstracts Keycloak’s policy engine and enables non-technical users to define fine-grained, owner-driven access rules. The approach is evaluated across real-world mobility, energy, and automotive industry pilots, demonstrating its effectiveness in enhancing trust, interoperability, and usability within regulated data-sharing ecosystems.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6020040

Authors: Oscar A. Aliaga Noémi Nagy Bonnie Gómez Torres Ajara Mahmoud Courtney N. Callahan

This study provides a foundational review of work-based learning (WBL) opportunities offered by colleges and universities to students in higher education cybersecurity (CS) programs in the United States, with the goal of mapping the WBL practices across institutional and program contexts. Integrating WBL into CS curricula is widely recognized as an effective way to strengthen essential skills and address employer concerns about the gap between academic preparation and labor market needs. We first outline the characteristics of institutions and CS programs offering WBL. Next, we examine the range of WBL experiences designed to enhance students’ professional competencies. Finally, we explore characteristics of the partnerships between higher education and industry that support these initiatives. Using a status survey approach, we collected responses from 92 higher education institutions offering CS programs. We analyzed the data using descriptive statistics and linear regression models to explore patterns of association between the type and number of WBL opportunities available to students, institutional characteristics related to the total number of WBL offerings, and program features associated with WBL intensity across Awareness, Exploration, and Direct Experience levels of intensity. Findings reveal a diverse array of WBL opportunities, with notable growth across credential levels. Notably, certificates and associate degrees place particular emphasis on WBL. Both institutional characteristics and program features explain, albeit partially, the number of WBL opportunities implemented and the intensity levels of those WBL. However, results also indicate an ambivalent connection to employers, despite their critical role in providing hands-on, problem-solving experiences. Based on these insights, we recommend expanding WBL beyond internships, strengthening institutional–industry partnerships, and fostering employer engagement through structured WBL collaboration models. These strategies aim to improve workforce readiness and create a more inclusive, scalable system of experiential learning in cybersecurity education.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010039

Authors: Kenan Nuray Oren Upton Nicole Beebe

This paper presents an experimental comparison of the EMBA firmware security analysis framework deployed in cloud-based and standalone environments. Unlike prior studies that primarily focus on EMBA’s analytical capabilities, this work examines how deployment choices influence performance and execution time during IoT firmware analysis. Using identical EMBA configurations and analysis modules, firmware images of varying sizes were analyzed on a standalone personal computer and a Microsoft Azure cloud-based virtual machine. Execution time, detected vulnerabilities, and resource utilization were systematically recorded to evaluate the impact of the deployment environment. The results indicate that scan duration is affected by both firmware size and execution context. For example, using EMBA v1.5.0, a 25.5 MB firmware image required approximately 14 h on a standalone system and over 25 h in the cloud. In contrast, a 30.2 MB image was completed in approximately 18 h locally and 17 h in the cloud. Despite these differences in execution time, the type and number of identified vulnerabilities were largely consistent across both environments, suggesting comparable analytical coverage. Overall, this deployment-focused evaluation provides empirical insight into performance-related trade-offs relevant to practitioners selecting local or cloud-based environments for firmware security analysis.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010038

Authors: Jack Kolenbrander Elliott Rheault Alan J. Michaels

Cybersquatting is a collection of methods commonly used by malicious actors to mislead or trick internet users into accessing fraudulent or malicious content. Much of the current research has concentrated on the specific techniques used by attackers in this domain, such as typosquatting, combosquatting, and sound squatting. Some research has explored the financial and time impacts of cybersquatting; however, an understanding of user privacy impacts is limited. Prior research into privacy implications has primarily relied on passive techniques such as analyzing DNS records, HTML content, and domain registrations. These passive approaches limit the ability to interact with these domains and track the downstream impact of sharing personally identifiable information (PII). This research develops an active open-source intelligence (OSINT) collection system capable of rapidly collecting and analyzing squatting domains through both passive and active techniques, with a particular emphasis on identifying those that solicit user information. Synthetic identities are then registered with these domains, and their associated communications are collected and analyzed to identify privacy-related risks and determine whether shared PII propagates.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010037

Authors: Samuel T. Aiello Bhaskar P. Rimal Frederick T. Sheldon Yong Wang

The rollout of 5G Standalone networks introduces unprecedented flexibility and performance through service-based architecture (SBA), virtualization, open APIs, and network slicing, while simultaneously expanding the attack surface across control, user, and cross-plane interfaces. This article provides a systematic, vulnerability-prioritized, selective characterization of the current state of weaknesses specific to the 5G control and user planes and transparent risk scoring. Using a PRISMA-aligned methodology, vulnerabilities are mapped explicitly to 3GPP network functions and interfaces (e.g., AMF, SMF, UPF; N2, N4, SBA APIs) and categorized by operational evidence level ranging from theoretical analysis to documented live-network exploitation. A normalized criticality scoring model integrates likelihood, impact, exploitability, and CVSS-derived severity. The analysis shows that control-plane signaling floods, PFCP misuse, and container escapes stand out as the most pressing risks. It also exposes how little attention has been given to securing the user plane and strengthening slice isolation. The paper wraps up with clear, evidence-based hardening priorities for each plane, along with research areas that matter for today’s 5G networks and the shift toward 6G.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010036

Authors: Samira A. Baho Jemal Abawajy

Vulnerability severity assessment plays a critical role in cybersecurity risk management by quantifying risk based on vulnerability disclosure reports. However, interpreting these reports and assigning reliable risk levels remains challenging in Internet of Things (IoT) environments. This paper proposes an IoT vulnerability severity prediction framework aligned with the Common Vulnerability Scoring System (CVSS). The framework is based on a lightweight transformer architecture. It uses a distilled version of Bidirectional Encoder Representations from Transformers (BERT). The model is fine-tuned using transfer learning to capture contextual semantic information from vulnerability descriptions. The lightweight design preserves computational efficiency. Experimental evaluation on an IoT vulnerability dataset shows strong and consistent performance across all severity classes. The proposed model achieves double-digit improvements across key evaluation metrics. In most cases, the improvement exceeds 20% compared with traditional machine learning and baseline deep learning approaches. These results show that lightweight transformer models are well suited for IoT security. They provide a practical and effective solution for automated vulnerability severity classification in resource- and data-constrained environments.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010035

Authors: José Dias Silvestre Malta Ricardo Santos

Network slicing is a core enabler of multi-tenant 5th Generation (5G) architectures, allowing heterogeneous services to coexist over shared infrastructure. However, ensuring effective isolation between slices remains a critical security challenge, as failures may enable cross-slice interference, data leakage, or cascading service disruption. This article analyses security vulnerabilities affecting 5G network slicing from a risk-oriented perspective, with particular emphasis on isolation weaknesses across orchestration, virtualization, network, and interface layers. Due to the technical immaturity and instability of current open-source slicing platforms, experimental validation of security mechanisms proved infeasible. These limitations are therefore treated as empirical evidence informing a structured vulnerability taxonomy and a qualitative risk assessment grounded in confidentiality, integrity, and availability. Building on this analysis, the article proposes a conceptual security framework that integrates defence-in-depth, zero-trust principles, continuous monitoring, and adaptive response mechanisms to enforce isolation dynamically. Aligned with established standards and regulatory references, the framework provides a coherent theoretical foundation for future experimental validation and the secure design of resilient 5G network slicing architectures.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010034

Authors: Wesam Fallatah Steven Furnell Christian Wagner

Organizations are facing a wide range of cyber threats. While technological advancements have resulted in sophisticated cybersecurity solutions, the effectiveness of these solutions is hindered when users do not properly engage with security measures. Usable security is critical to encourage people to incorporate proactive practices into their daily routine, which strengthens the wider security culture. Conversely, cumbersome and intrusive measures can lead to workarounds, errors, or neglect, compromising security efforts. This study addresses the limited research on how the usability of security measures influences security culture. A mixed-method approach was employed to characterize this relationship by investigating whether usable security can positively influence security culture. Data were gathered through a survey study with over 200 participants, followed by interviews with a smaller subset. The study then proposes a usability-focused framework that leverages the influence in addition to other essential elements to foster a robust security culture. The findings suggest that addressing common usability barriers can help organizations improve compliance, reduce security risks, and enhance the overall security culture.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010033

Authors: Gonesh Chandra Saha Ahmed Afif Monrat Karl Andersson

The rapid expansion of electric vehicles (EVs) has added complexity to the resilience and security challenges to the EV charging systems, especially owing to the exposure to the cyber–physical threats and the reliance on centrally coordinated systems. Although the previous literature has discussed the use of blockchain in the context of smart grids and mobility services; its implementation to improve the resilience of EV charging, particularly when integrated with cybersecurity systems, is still insufficiently synthesized. Despite these issues, critical gaps persist in terms of scalability, interoperability, and cybersecurity enforcement. This study presents an exploratory literature review that examines the intersection of blockchain and cybersecurity enabled applications and introduces a comparative framework evaluating the conventional security controls with blockchain based cybersecurity solutions to improve the resilience of EV charging infrastructure. The authors analyzed 70 studies published between 2018 and 2025 to determine the security weaknesses and map them to decentralized solutions. Reported threats, security mechanisms, architectural decisions, and levels of validation were grouped and reviewed critically in the patterns of limitations with respect to scalability, interoperability, and deployment maturity. Through the synthesis of fragmented results in cross disciplinary research, the paper finds the main gaps in research and comparative research results that could be used as a comprehensive reference in future studies and system design in resilient EV charging infrastructures.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010032

Authors: Abderrahman El Alami Ismail El Batteoui Khalid Satori

The exponential growth of network traffic and the increasing sophistication of cyberattacks have underscored the need for intelligent and real-time Intrusion Detection Systems (IDS). Traditional flow-based IDS models typically analyze each network flow independently, ignoring the temporal and contextual dependencies among flows, which reduces their ability to recognize coordinated or multi-stage attacks. To address this limitation, this paper proposes a Bernoulli-based probabilistic sequence modeling framework that integrates statistical learning with visual feature representation for efficient intrusion detection. The approach begins with a comprehensive data-preprocessing pipeline that performs feature cleaning, encoding, normalization, and sequence aggregation. Each aggregated feature vector is then transformed into a 6 × 6 grayscale image, allowing the system to capture spatial correlations among network features through convolutional operations. A logistic regression model first estimates per-flow attack probabilities, and these are combined using the Bernoulli probability law to infer the likelihood of malicious activity across flow sequences. The resulting sequence-level representations are evaluated using lightweight classifiers such as TinyNet-6 × 6, MobileNetV2, and ResNet18. Experimental results on the CICIDS2017 dataset demonstrate that the proposed method achieves high detection accuracy with reduced computational cost compared to state-of-the-art deep models, highlighting its suitability for scalable, real-time IDS deployment.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010031

Authors: Abdullah Alaklabi Muhammad Asfand Hafeez Arslan Munir

The rapid growth of digital communication has heightened the need for the secure transfer of sensitive image data. This is due to the increasing threats posed by cyberattacks and unauthorized access. Traditional encryption methods, while effective for text and binary data, often face significant challenges when applied to images, due to their larger size and complex structure. These characteristics make it difficult to provide a robust security solution. In this paper, we present a fast and efficient hybrid image encryption and steganography algorithm that leverages a substitution–permutation network (SPN), a chaotic logistic map (CLM), and least-significant-bit (LSB) substitution. This approach aims to improve data security and confidentiality while maintaining low computational complexity. The chaotic map generates random sequences for substitution and permutation, ensuring high unpredictability. The SPN framework improves the confusion and diffusion properties of the encryption process. The LSB substitution method hides the encrypted data values within the pixels of the cover image. We evaluate the security and efficiency of the proposed algorithm using various statistical tests, including measurement of the mean square error (MSE) and peak signal-to-noise ratio (PSNR) and pixel difference histogram (PDH) analysis. The results indicate that our algorithm outperforms many existing methods in terms of speed and efficiency, making it suitable for real-time hybrid encryption and steganography applications.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010030

Authors: Babe Haiba Najat Rafalia

Mandatory SIM card registration, while essential to regulatory oversight and national security, continues to raise significant privacy concerns due to the centralized collection and storage of sensitive user data by Mobile Network Operators (MNOs). This paper introduces a novel framework that combines blockchain technology with Zero-Knowledge Proofs (ZKPs) to enable secure and privacy-preserving identity verification during SIM registration. The proposed system allows users to authenticate their identity attributes without revealing any personal information, effectively minimizing direct data access by MNOs or intermediaries. A smart contract deployed on the blockchain enforces regulatory policies while ensuring the transparency, immutability, and auditability of all registration events. By removing single points of failure and minimizing trust in centralized authorities, this work offers a cryptographically secure and regulation-compliant solution, with scalability supported by its modular design for next-generation digital identity management in telecommunications infrastructures.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010029

Authors: Carlene Campbell Sergio Jofre Giedre Sabaliauskaite Carolyne Obonyo Odayne Haughton

Cybersecurity has become a critical challenge to policy as cyber threats continue to increase in frequency, sophistication, and societal impact, exposing the growing vulnerability of the critical infrastructure supporting vital societal functions. Globally, these risks are heightened by a persistent shortage of skilled cybersecurity professionals, which, in Europe, threatens the effective implementation of the Union’s Network and Information Security Directive 2 (NIS2) concerned with the enhancement and harmonization of the cybersecurity level across Member States, notably in terms of their critical infrastructure and involved entities. This article examines the cybersecurity skills landscape across the European Union (EU), with a specific focus on Lithuania, using the United Kingdom (UK) as a strategic benchmark subject. Adopting a comparative case study approach, the study explores and discusses governance arrangements, education and training pathways, labour-market dynamics, and quality-assurance mechanisms shaping cybersecurity workforce development. Technical, organisational, and transversal skills required to prepare an effective cybersecurity workforce in a rapidly evolving labour landscape are also discussed. Findings reveal that Lithuania faces an acute shortage of advanced practitioners and limited alignment between education provision, labour-market needs, and regulatory requirements. In response, the article proposes policy-informed strategies adapted from the UK’s structured and professionalised cybersecurity skills model, explicitly mapped to NIS2 workforce and capability requirements. Identified strategies emphasise the need of coordinated action across schools, higher education institutions, government, industry, and the wider community. Potential enablers and constraints for the operationalization of the identified strategies are further analysed and discussed. The study aims to contribute to ongoing policy debates by demonstrating how a strategic context-sensitive selection and adaptation of key components in established skills frameworks can support the development of a sustainable national cybersecurity skills ecosystem and enhance long-term digital resilience, not only in Lithuania but also in other Member States across the EU.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010028

Authors: Lucía Alba Torres Miguel Rebollo Javier Palanca Mario Aragonés Lozano

Modern cyber threats demand coordinated defensive strategies that extend beyond centralized security mechanisms. However, existing multi-agent platforms exhibit critical limitations in explicit communication and real-time coordination for cyberdefense operations. This work proposes a hierarchical multi-agent architecture for autonomous cyberdefense that addresses these limitations through structured inter-agent communication and distributed coordination. The architecture integrates a centralized monitor agent with specialized defensive swarms deployed across operational hosts. It is implemented using SPADE 4.1 (Smart Python Agent Development Environment) to enable XMPP-based (Extensible Messaging and Presence Protocol) communication with low-latency messaging and location transparency. Four specialized swarms—Network Defender, Host Defender, Anomaly Detection, and Forensic and Recovery—perform autonomous defensive tasks. A secure authentication mechanism ensures trusted communication between monitor and deployer agents. The system was evaluated in a controlled virtualized environment using the Network Defender Swarm as an illustrative case. The experimental results focus on internal coordination behavior, messaging efficiency, and end-to-end detection time across increasing levels of parallelism. A scan agent scalability analysis shows that moderate parallelism (2–16 agents) yields the lowest Total Detection Time (12.88 s across the full TCP port range), while excessive agent counts degrade performance. Results demonstrate how the proposed architecture supports low-latency communication, efficient coordination, and parallel task execution. Message latency benchmarks show improvements compared to classical agent frameworks such as JADE. These findings provide initial evidence that communication-centric multi-agent architectures can facilitate coordinated and adaptive cyberdefense operations, while serving as a platform for further experimental evaluation.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010027

Authors: Vijay Kanabar Kalinka Kaloyanova

Generative AI (GenAI) systems are increasingly deployed across high-impact sectors, introducing security risks that fundamentally differ from those of traditional software. Their probabilistic behavior, emergent failure modes, and expanded attack surface, particularly through retrieval and tool integration, complicate threat modeling and control assurance. This paper presents a threat-centric analysis that maps adversarial techniques to the core architectural layers of generative AI systems, including training pipelines, model behavior, retrieval mechanisms, orchestration, and runtime interaction. Using established taxonomies such as the OWASP LLM Top 10 and MITRE ATLAS alongside empirical research, we show that many GenAI security risks are structural rather than configurable, limiting the effectiveness of perimeter-based and policy-only controls. We additionally analyze the impact of regulatory divergence on GenAI security architecture and find that EU frameworks serve in practice as the highest common technical baseline for transatlantic deployments.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010026

Authors: Ghazia Qaiser Siva Chandrasekaran

The emerging scope of the Industrial Internet of Services (IIoS) requires a robust intrusion detection system to detect malicious attacks. The increasing frequency of sophisticated and high-impact cyber attacks has resulted in financial losses and catastrophes in IIoS-based manufacturing industries. However, existing solutions often struggle to adapt and generalize to new cyber attacks. This study proposes a unique approach designed for known and zero-day network attack detection in IIoS environments, called Denoising Adaptive Multi-Branch Architecture (DA-MBA). The proposed approach is a smart, conformal, and self-adjusting cyber attack detection framework featuring denoising representation learning, hybrid neural inference, and open-set uncertainty calibration. The model merges a denoising autoencoder (DAE) to generate noise-tolerant latent representations, which are processed using a hybrid multi-branch classifier combining dense and bidirectional recurrent layers to capture both static and temporal attack signatures. Moreover, it addresses challenges such as adaptability and generalizability by hybridizing a Multilayer Perceptron (MLP) and bidirectional LSTM (BiLSTM). The proposed hybrid model was designed to fuse feed-forward transformations with sequence-aware modeling, which can capture direct feature interactions and any underlying temporal and order-dependent patterns. Multiple approaches have been applied to strengthen the dual-branch architecture, such as class weighting and comprehensive hyperparameter optimization via Optuna, which collectively address imbalanced data, overfitting, and dynamically shifting threat vectors. The proposed DA-MBA is evaluated on two widely recognized IIoT-based datasets, Edge-IIoT set and WUSTL-IIoT-2021 and achieves over 99% accuracy and a near 0.02 loss, underscoring its effectiveness in detecting the most sophisticated attacks and outperforming recent deep learning IDS baselines. The solution offers a scalable and flexible architecture for enhancing cybersecurity within evolving IIoS environments by coupling feature denoising, multi-branch classification, and automated hyperparameter tuning. The results confirm that coupling robust feature denoising with sequence-aware classification can provide a scalable and flexible framework for improving cybersecurity within the IIoS. The proposed architecture offers a scalable, interpretable, and risk sensitive defense mechanism for IIoS, advancing secure, adaptive, and trustworthy industrial cyber-resilience.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010025

Authors: Mohammad Meraj Mirza Rayan Saad Alsuwat Yasser Musaed Alqurashi Abdullah Adel Alharthi Abdulrahman Matar Alsuwat Osama Mohammed Alasamri Nasser Ahmed Hussain

Cybersecurity teams rely on signature-based scanners such as Loki, a command-line tool for scanning malware, to identify Indicators of Compromise (IOCs), malicious artifacts, and YARA-rule matches. However, the raw Loki log output delivered as CSV or plaintext is challenging to interpret without additional visualization and correlation tools. Therefore, this research discusses the creation of a web-based dashboard that displays results from the Loki scanner. The project focuses on processing and displaying information collected from Loki’s scans, which are available in log files or CSV format. DIGITRACKER was developed as a proof-of-concept (PoC) to process this data and present it in a user-friendly, visually appealing way, enabling system administrators and cybersecurity teams to monitor potential threats and vulnerabilities effectively. By leveraging modern web technologies and dynamic data visualization, the tool enhances the user experience, transforming raw scan results into a well-organized, interactive dashboard. This approach simplifies the often-complicated task of manual log analysis, making it easier to interpret output data and to support low-budget or resource-constrained cybersecurity teams by transforming raw logs into actionable insights. The project demonstrates the dashboard’s effectiveness in identifying and addressing threats, providing valuable tools for cybersecurity system administrators. Moreover, our evaluation shows that DIGITRACKER can process scan logs containing hundreds of IOC alerts within seconds and supports multiple concurrent users with minimal latency overhead. In test scenarios, the integrated Loki scans were achieved, and the end-to-end pipeline from the end of the scan to the initiation of dashboard visualization incurred an average latency of under 20 s. These results demonstrate improved threat visibility, support structured triage workflows, and enhance analysts’ task management. Overall, the system provides a practical, extensible PoC that bridges the gap between command-line scanners and operational security dashboards, with new scan results displayed on the dashboard faster than manual log analysis. By streamlining analysis and enabling near-real-time monitoring, the PoC tool DIGITRACKER empowers cyber defense initiatives and enhances overall system security.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010024

Authors: Sofia Sakka Vasiliki Liagkou Afonso Ferreira Chrysostomos Stylios

Metaverse presents significant opportunities for educational advancement by facilitating immersive, personalized, and interactive learning experiences through technologies such as virtual reality (VR), augmented reality (AR), extended reality (XR), and artificial intelligence (AI). However, this potential is compromised if digital environments fail to uphold individuals’ privacy, autonomy, and equity. Despite their widespread adoption, the privacy implications of these environments remain inadequately understood, both in terms of technical vulnerabilities and legislative challenges, particularly regarding user consent management. Contemporary Metaverse systems collect highly sensitive information, including biometric signals, spatial behavior, motion patterns, and interaction data, often surpassing the granularity captured by traditional social networks. The lack of privacy-by-design solutions, coupled with the complexity of underlying technologies such as VR/AR infrastructures, 3D tracking systems, and AI-driven personalization engines, makes these platforms vulnerable to security breaches, data misuse, and opaque processing practices. This study presents a structured literature review and comparative analysis of privacy risks, consent mechanisms, and digital boundaries in metaverse platforms, with particular attention to educational contexts. We argue that privacy-aware design is essential not only for ethical compliance but also for supporting the long-term sustainability goals of digital education. Our findings aim to inform and support the development of secure, inclusive, and ethically grounded immersive learning environments by providing insights into systemic privacy and policy shortcomings.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010023

Authors: Nikolaos-Achilleas Steiakakis Giorgos Vasiliadis

Machine learning inference is increasingly deployed on shared and cloud infrastructures, where both user inputs and model parameters are highly sensitive. Confidential computing promises to protect these assets using Trusted Execution Environments (TEEs), yet existing TEE-based inference systems remain fundamentally constrained: they rely almost exclusively on low-level, memory-unsafe languages to enforce confinement, sacrificing developer productivity, portability, and access to modern ML ecosystems. At the same time, mainstream high-level runtimes, such as Python, are widely considered incompatible with enclave execution due to their large memory footprints and unsafe model-loading mechanisms that permit arbitrary code execution. To bridge this gap, we present the first Python-based ML inference system that executes entirely inside Intel SGX enclaves while safely supporting untrusted third-party models. Our design enforces standardized, declarative model representations (ONNX), eliminating deserialization-time code execution and confining model behavior through interpreter-mediated execution. The entire inference pipeline (including model loading, execution, and I/O) remains enclave-resident, with cryptographic protection and integrity verification throughout. Our experimental results show that Python incurs modest overheads for small models (≈17%) and outperforms a low-level baseline on larger workloads (97% vs. 265% overhead), demonstrating that enclave-resident high-level runtimes can achieve competitive performances. Overall, our findings indicate that Python-based TEE inference is practical and secure, enabling the deployment of untrusted models with strong confidentiality and integrity guarantees while maintaining developer productivity and ecosystem advantages.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010022

Authors: Sofia Sakka Vasiliki Liagkou Yannis Stamatiou Chrysostomos Stylios

Wireless sensor networks comprise many resource-constrained nodes that must protect both local readings and routing metadata. The sensors collect data from the environment or from the individual to whom they are attached and transmit it to the nearest gateway node via a wireless network for further delivery to external users. Due to wireless communication, the transmitted messages may be intercepted, rerouted, or even modified by an attacker. Consequently, security and privacy issues are of utmost importance, and the nodes must be protected against unauthorized access during transmission over a public wireless channel. To address these issues, we propose the Probabilistic Bit-Similarity-Based Key Agreement Protocol (PBS-KAP). This novel method enables two nodes to iteratively converge on a shared secret key without transmitting it or relying on pre-installed keys. PBS-KAP enables two nodes to agree on a symmetric session key using probabilistic similarity alignment with explicit key confirmation (MAC). Optimized Garbled Circuits facilitate secure computation with minimal computational and communication overhead, while Secure Sketches combined with Fuzzy Extractors correct residual errors and amplify entropy, producing reliable and uniformly random session keys. The resulting protocol provides a balance between security, privacy, and usability, standing as a practical solution for real-world WSN and IoT applications without imposing excessive computational or communication burdens. Security relies on standard computational assumptions via a one-time elliptic–curve–based base Oblivious Transfer, followed by an IKNP Oblivious Transfer extension and a small garbled threshold circuit. No pre-deployed long-term keys are required. After the bootstrap, only symmetric operations are used. We analyze confidentiality in the semi-honest model. However, entity authentication, though feasible, requires an additional Authenticated Key Exchange step or malicious-secure OT/GC. Under the semi-honest OT/GC assumption, we prove session-key secrecy/indistinguishability; full entity authentication requires an additional AKE binding step or malicious-secure OT/GC.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010021

Authors: Javier Alberto Vargas Valencia Mauricio A. Londoño-Arboleda Hernán David Salinas Jiménez Carlos Alberto Marín Arango Luis Fernando Duque Gómez

This work presents a hybrid chaotic–cryptographic image encryption method that integrates a physical two-dimensional delta-kicked oscillator with a PBKDF2-HMAC-SHA256 key derivation function (KDF). The user-provided key material—a 12-character, human-readable key and four salt words—is transformed by the KDF into 256 bits of high-entropy data, which is then converted into 96 balanced decimal digits to seed the chaotic system. Encryption operates in the real number domain through a chaotic partition–permutation stage followed by modular diffusion. Experimental results confirm perfect reversibility, high randomness (Shannon entropy ≈7.9981), and negligible adjacent-pixel correlation. The method resists known- and chosen-plaintext attacks, showing no statistical dependence between plain and cipher images. Differential analysis yields NPCR≈99.6% and UACI≈33.9%, demonstrating complete diffusion. The PBKDF2-based key derivation expands the effective key space to 2256, eliminates weak-key conditions, and ensures full reproducibility. The proposed approach bridges deterministic chaos and modern cryptography, offering a secure, verifiable framework for protecting sensitive images.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010020

Authors: Derrisa Tuscano Jules Pagna Disso

Generative Artificial Intelligence (GenAI) systems have introduced new classes of security incidents that traditional response frameworks were not designed to manage, ranging from model manipulation and data exfiltration to misinformation cascades and prompt-based privilege escalation. This study proposes a Practical Incident-Response Framework for Generative AI Systems (GenAI-IRF) that bridges established cybersecurity standards with emerging AI assurance principles. Using a Design Science Research (DSR) approach, this study identifies six recurrent incident archetypes and formalises a structured playbook aligned with NIST SP 800-61r3, NIST AI 600-1, MITRE ATLAS, and OWASP LLM Top-10. The artefact was evaluated in controlled scenarios using scenario-based simulations and expert reviews involving AI-security practitioners from academia, finance, and technology sectors. The results suggest high inter-rater reliability (κ = 0.88), strong usability (SUS = 86.4), and improved incident resolution times compared to baseline procedures. The findings demonstrate how traditional response models can be adapted to GenAI contexts using taxonomy-driven analysis, artefact-centred validation, and practitioner feedback. This framework provides a practical foundation for security teams seeking to operationalise AI incident response and contributes to the emerging body of work on trustworthy and resilient AI systems.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010019

Authors: Maksim Iavich Tamari Kuchukhidze Razvan Bocu

In the original publication [...]

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010018

Authors: Abdissamad Ayoubi Loubna Laaouina Adil Jeghal Hamid Tairi

Cross-site scripting (XSS) attacks are among the threats facing web security, resulting from the diversity and complexity of HTML formats. Research has shown that some text processing-based methods are limited in their ability to detect this type of attack. This article proposes an approach aimed at improving the detection of this type of attack, taking into account the limitations of certain techniques. It combines the effectiveness of deep learning represented by convolutional neural networks (CNN) and the accuracy of classification methods represented by support vector machines (SVM). It takes advantage of the ability of CNNs to effectively detect complex visual patterns in the face of injection variations and the SVM’s powerful classification capability, as XSS attacks often use obfuscation or encryption techniques that are difficult to be detected with textual methods alone. This work relies on a dataset that focuses specifically on XSS attacks, which is available on Kaggle and contains 13,686 sentences in script form, including benign and malicious cases associated with these attacks. Benign data represents 6313 cases, while malicious data represents 7373 cases. The model was trained on 80% of this data, while the remaining 20% was allocated for test. Computer vision techniques were used to analyze the visual patterns in the images and extract distinctive features, moving from a textual representation to a visual one where each character is converted into its ASCII encoding, then into grayscale pixels. In order to visually distinguish the characteristics of normal and malicious code strings and the differences in their visual representation, a CNN model was used in the analysis. The convolution and subsampling (pooling) layers extract significant patterns at different levels of abstraction, while the final output is converted into a feature vector that can be exploited by a classification algorithm such as an Optimized SVM. The experimental results showed excellent performance for the model, with an accuracy of (99.7%), and this model is capable of generalizing effectively without the risk of overfitting or loss of performance. This significantly enhances the security of web applications by providing robust protection against complex XSS threats.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010017

Authors: Mahmoud H. Qutqut Ali Ahmed Mustafa K. Taqi Jordan Abimanyu Erika Thea Ajes Fatima Alhaj

Data exfiltration poses a major cybersecurity challenge because it involves the unauthorized transfer of sensitive information. Intrusion Detection Systems (IDSs) are vital security controls in identifying such attacks; however, their effectiveness in cloud computing environments remains limited, particularly against covert channels such as Internet Control Message Protocol (ICMP) and Domain Name System (DNS) tunneling. This study compares two widely used IDSs, Snort and Suricata, in a controlled cloud computing environment. The assessment focuses on their ability to detect data exfiltration techniques implemented via ICMP and DNS tunneling, using DNSCat2 and Iodine. We evaluate detection performance using standard classification metrics, including Recall, Precision, Accuracy, and F1-Score. Our experiments were conducted on Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances, where IDS instances monitored simulated exfiltration traffic generated by DNSCat2, Iodine, and Metasploit. Network traffic was mirrored via AWS Virtual Private Cloud (VPC) Traffic Mirroring, with the ELK Stack integrated for centralized logging and visual analysis. The findings indicate that Suricata outperformed Snort in detecting DNS-based exfiltration, underscoring the advantages of multi-threaded architectures for managing high-volume cloud traffic. For DNS tunneling, Suricata achieved 100% detection (recall) for both DNSCat2 and Iodine, whereas Snort achieved 85.7% and 66.7%, respectively. Neither IDS detected ICMP tunneling using Metasploit, with both recording 0% recall. It is worth noting that both IDSs failed to detect ICMP tunneling under default configurations, highlighting the limitations of signature-based detection in isolation. These results emphasize the need to combine signature-based and behavior-based analytics, supported by centralized logging frameworks, to strengthen cloud-based intrusion detection and enhance forensic visibility.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010015

Authors: Jose R. Rosas-Bustos Jesse Van Griensven Thé Roydon Andrew Fraser Sebastian Ratto Valderrama Nadeem Said Andy Thanos

This paper identifies theoretical vulnerabilities in quantum integrity verification by demonstrating that Bell inequality (BI) violations, central to the detection of quantum entanglement, can align with predictions from hidden variable theories (HVTs) under specific measurement configurations. By invoking a Heisenberg-inspired measurement resolution constraint and finite-resolution positive operator-valued measures (POVMs), we identify “convergence vicinities” where the statistical outputs of quantum and classical models become operationally indistinguishable. These results do not challenge Bell’s theorem itself; rather, they expose a vulnerability in quantum integrity frameworks that treat observed Bell violations as definitive, experiment-level evidence of nonclassical entanglement correlations. We support our theoretical analysis with simulations and experimental results from IBM quantum hardware. Our findings call for more robust quantum-verification frameworks, with direct implications for the security of quantum computing, quantum-network architectures, and device-independent cryptographic protocols (e.g., device-independent quantum key distribution (DIQKD)).

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010016

Authors: Pierre-Emmanuel Arduin Benjamin Costé

Cybersecurity education requires practical activities such as malware analysis, phishing detection, and Capture the Flag (CTF) challenges. These exercises enable students to actively apply theoretical concepts in realistic scenarios, fostering experiential learning. This article introduces an innovative pedagogical approach relying on gamification in cybersecurity courses, combining technical problem-solving with human factors such as social engineering and risk-taking behavior. By integrating interactive challenges into the courses, engagement and motivation have been enhanced, while addressing both technological and managerial dimensions of cybersecurity. Observations from course implementation indicate that students demonstrate higher involvement when participating in supervised offensive security tasks and social engineering simulations within controlled environments. These findings highlight the potential of gamified strategies to strengthen cybersecurity competencies and promote ethical awareness, paving the way for future research on long-term cybersecurity learning outcomes.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010014

Authors: Angela Oryza Prabowo Deka Julian Arrizki Baskoro Adi Pratomo Ahmad Ibnu Fajar Krisna Badru Wijaya Hudan Studiawan Ary Mazharuddin Shiddiqi Siti Hajar Othman

Anomaly-based network intrusion detection systems (NIDSs) complement signature-based detection methods to identify unknown (zero-day) attacks. The integration of machine and deep learning enhanced the efficiency of such NIDSs. However, since anomaly-based NIDSs heavily depend on the quality of the training data, the presence of malicious traffic in the training set can significantly degrade the model’s performance. Purging the training data of such traffic is often impractical. This study investigates performance degradation caused by increasing amounts of malicious traffic in the training data. We introduced varying portions of malicious traffic into the training sets of machine and deep learning models to determine which approach is most resilient to unclean training data. Our experiments revealed that Autoencoders, using a byte frequency feature set, achieved the highest F2 score (0.8989), with only a minor decrease of 0.0009 when trained on the most contaminated dataset. This performance drop was the smallest compared to other algorithms tested, including an Isolation Forest, a Local Outlier Factor, a One-Class Support Vector Machine, and Long Short-Term Memory.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010012

Authors: Jema David Ndibwile Ntung Ngela Landon Floride Tuyisenge

While face recognition systems are increasingly deployed in critical domains, they remain vulnerable to presentation attacks and exhibit significant demographic bias, particularly affecting African populations. This paper presents a fairness-aware Presentation Attack Detection (PAD) system using Local Binary Patterns (LBPs) with novel ethnicity-aware processing techniques specifically designed for African contexts. Our approach introduces three key technical innovations: (1) adaptive preprocessing with differentiated Contrast-Limited Adaptive Histogram Equalization (CLAHE) parameters and gamma correction optimized for different skin tones, (2) group-specific decision threshold optimization using Equal Error Rate (EER) minimization for each ethnic group, and (3) three novel statistical methods for PAD fairness evaluation such as Coefficient of Variation analysis, McNemar’s significance testing, and bootstrap confidence intervals representing the first application of these techniques in Presentation Attack Detection. Comprehensive evaluation on the Chinese Academy of Sciences Institute of Automation-SURF Cross-ethnicity Face Anti-spoofing dataset (CASIA-SURF CeFA) dataset demonstrates significant bias reduction achievements: a 75.6% reduction in the accuracy gap between African and East Asian subjects (from 3.07% to 0.75%), elimination of statistically significant bias across all ethnic group comparisons, and strong overall performance, with 95.12% accuracy and 98.55% AUC. Our work establishes a comprehensive methodology for measuring and mitigating demographic bias in PAD systems while maintaining security effectiveness, contributing both technical innovations and statistical frameworks for inclusive biometric security research.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010013

Authors: Qutaiba Alasad Meaad Ahmed Shahad Alahmed Omer T. Khattab Saba Alaa Abdulwahhab Jiann-Shuin Yuan

Machine learning (ML) techniques have significantly enhanced decision support systems to render them more accurate, efficient, and faster. ML classifiers in securing networks, on the other hand, face a disproportionate risk from the sophisticated adversarial attacks compared to other areas, such as spam filtering, intrusion, and virus detection, and this introduces a continuous competition between malicious users and preventers. Attackers test ML models with inputs that have been specifically crafted to evade these models and obtain inaccurate forecasts. This paper presents a comprehensive review of attack and defensive techniques in ML-based NIDSs. It highlights the current serious challenges that the systems face in preserving robustness against adversarial attacks. Based on our analysis, with respect to their current superior performance and robustness, ML-based NIDS require urgent attention to develop more robust techniques to withstand such attacks. Finally, we discuss the current existing approaches in generating adversarial attacks and reveal the limitations of current defensive approaches. In this paper, the most recent advancements, such as hybrid defensive techniques that integrate multiple strategies to prevent adversarial attacks in NIDS, have highlighted the ongoing challenges.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010011

Authors: Mahesh Narayanan Muhammad Asfand Hafeez Arslan Munir

Industrial Control Systems (ICS) are fundamental to the operation, monitoring, and automation of critical infrastructure in sectors such as energy, water utilities, manufacturing, transportation, and oil and gas. According to the Purdue Model, ICS encompasses tightly coupled OT and IT layers, becoming increasingly interconnected. Smart grids represent a critical class of ICS; thus, this survey examines encryption and relevant protocols in smart grid communications, with findings extendable to other ICS. Encryption techniques implemented at both the protocol and network layers are among the most effective cybersecurity strategies for protecting communications in increasingly interconnected ICS environments. This paper provides a comprehensive survey of encryption practices within the smart grid as the primary ICS application domain, focusing on protocol-level solutions (e.g., DNP3, IEC 60870-5-104, IEC 61850, ICCP/TASE.2, Modbus, OPC UA, and MQTT) and network-level mechanisms (e.g., VPNs, IPsec, and MACsec). We evaluate these technologies in terms of security, performance, and deployability in legacy and heterogeneous systems that include renewable energy resources. Key implementation challenges are explored, including real-time operational constraints, cryptographic key management, interoperability across platforms, and alignment with NERC CIP, IEC 62351, and IEC 62443. The survey highlights emerging trends such as lightweight Transport Layer Security (TLS) for constrained devices, post-quantum cryptography, and Zero Trust architectures. Our goal is to provide a practical resource for building resilient smart grid security frameworks, with takeaways that generalize to other ICS.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010010

Authors: Sameer Mankotia Daniel Conte de Leon Bhaskar P. Rimal

One of the major challenges for effective intrusion detection systems (IDSs) is continuously and efficiently incorporating changes on cyber-attack tactics, techniques, and procedures in the Internet of Things (IoT). Semi-automated cross-organizational sharing of IDS data is a potential solution. However, a major barrier to IDS data sharing is privacy. In this article, we describe the design, implementation, and evaluation of FedPrIDS: a privacy-preserving federated learning system for collaborative network intrusion detection in IoT. We performed experimental evaluation of FedPrIDS using three public network-based intrusion datasets: CIC-IDS-2017, UNSW-NB15, and Bot-IoT. Based on the labels in these datasets for attack type, we created five fictitious organizations, Financial, Technology, Healthcare, Government, and University and evaluated IDS accuracy before and after intelligence sharing. In our evaluation, FedPrIDS showed (1) a detection accuracy net gain of 8.5% to 14.4% from a comparative non-federated approach, with ranges depending on the organization type, where the organization type determines its estimated most likely attack types, privacy thresholds, and data quality measures; (2) a federated detection accuracy across attack types of 90.3% on CIC-IDS-2017, 89.7% on UNSW-NB15, and 92.1% on Bot-IoT; (3) maintained privacy of shared NIDS data via federated machine learning; and (4) reduced inter-organizational communication overhead by an average 50% and showed convergence within 20 training rounds.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010009

Authors: Christian Schwinne Jan Pelzl

This contribution outlines a completely new, fully local approach for secure web-based device control on the basis of browser inter-window messaging. Modern smart home IoT (Internet of Things) devices are commonly controlled with proprietary mobile applications via remote servers, which can have significant adverse implications for the end user. Given that many IoT devices in use today are limited in both available memory and processing speed, standard approaches such as HTTPS-based transport security are not always feasible and a need for more suitable alternatives for such constrained devices arises. The proposed local method for lightweight and secure web-based device control using inter-window messaging leverages existing standard web technologies to enable a maximum degree of privacy, choice, and sustainability within the smart home ecosystem. The implemented proof-of-concept shows that it is feasible to meet essential security objectives in a local web IoT control context while utilizing less than a kilobyte of additional memory compared to an unsecured solution, thereby promoting sustainability through hardening of the control protocols used by existing devices with too few resources for implementing standard web cryptography. In this way, the present work contributes to achieving the vision of a fully open and secure local smart home.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010008

Authors: Nithiya Muruganandham Yogesh Sharma Sina Keshvadi

Free live sports streaming (FLS) services attract millions of users who, driven by the excitement of live events, often engage with these high-risk platforms. Although these platforms are widely perceived as risky, the specific threats they pose have lacked large-scale empirical analysis. This paper addresses this gap through a comprehensive study of the FLS ecosystem, conducted during two major international sporting events (UCL playoffs and NHL Stanley Cup Playoffs, 2024–2025 season). We analyze the infrastructure, security threats, and privacy violations that define this space. Analysis of 260 unique domains uncovers systemic security risks, including drive-by downloads delivering persistent malware, and widespread privacy violations, such as invasive device fingerprinting that disregards regulations like the General Data Protection Regulation (GDPR). Furthermore, we map the ecosystem’s resilient infrastructure, identifying eight clusters of co-owned domains. These findings imply that effective countermeasures must target the centralized infrastructure and ephemeral nature of the FLS ecosystem beyond traditional blocking.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010007

Authors: Antonio Goncalves Anacleto Correia

Explainability is increasingly expected to support not only interpretation, but also accountability, human oversight, and auditability in high-risk Artificial Intelligence (AI) systems. However, in many deployments, explanations are generated as isolated technical reports, remaining weakly connected to decision provenance, governance actions, audit logs, and regulatory documentation. This short communication introduces XAI-Compliance-by-Design, a modular engineering framework for explainable artificial intelligence (XAI) systems that routes explainability outputs and related technical traces into structured, audit-ready evidence throughout the AI lifecycle, designed to align with key obligations under the European Union Artificial Intelligence Act (EU AI Act) and the General Data Protection Regulation (GDPR). The framework specifies (i) a modular architecture that separates technical evidence generation from governance consumption through explicit interface points for emitting, storing, and querying evidence, and (ii) a Technical–Regulatory Correspondence Matrix—a mapping table linking regulatory anchors to concrete evidence artefacts and governance triggers. As this communication does not report measured results, it also introduces an Evidence-by-Design evaluation protocol defining measurable indicators, baseline configurations, and required artefacts to enable reproducible empirical validation in future work. Overall, the contribution is a practical blueprint that clarifies what evidence must be produced, where it is generated in the pipeline, and how it supports continuous compliance and auditability efforts without relying on post hoc explanations.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010006

Authors: Benjamin Quattrone Youakim Badr

Acoustic Side-Channel Attacks (ASCAs) exploit the sound produced by keyboards and other devices to infer sensitive information without breaching software or network defenses. Recent advances in deep learning, large language models, and signal processing have greatly expanded the feasibility and accuracy of these attacks. To clarify the evolving threat landscape, this survey systematically reviews ASCA research published between January 2020 and February 2025. We categorize modern ASCA methods into three levels of text reconstruction—individual keystrokes, short text (words/phrases), and long-text regeneration— and analyze the signal processing, machine learning, and language-model decoding techniques that enable them. We also evaluate how environmental factors such as microphone placement, ambient noise, and keyboard design influence attack performance, and we examine the challenges of generalizing laboratory-trained models to real-world settings. This survey makes three primary contributions: (1) it provides the first structured taxonomy of ASCAs based on text generation granularity and decoding methodology; (2) it synthesizes cross-study evidence on environmental and hardware factors that fundamentally shape ASCA performance; and (3) it consolidates emerging countermeasures, including Generative Adversarial Network-based noise masking, cryptographic defenses, and environmental mitigation, while identifying open research gaps and future threats posed by voice-enabled IoT and prospective quantum side-channels. Together, these insights underscore the need for interdisciplinary, multi-layered defenses against rapidly advancing ASCA techniques.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010005

Authors: Robert Kopal Bojan Alikavazović Zlatan Morić

The Cyber Kill Chain (CKC) is a prevalent concept in cyber defense; nevertheless, its emphasis on post-reconnaissance phases limits the capacity to foresee attacker activities outside the organizational boundary. This study introduces and empirically substantiates a pre-chain phase, referred to as contextual anticipation, which broadens the temporal framework of the CKC by methodically identifying subtle yet actionable signals prior to reconnaissance. The methodology combines the STEMPLES+ framework for socio-technical scanning with General Morphological Analysis (GMA), generating internally coherent scenarios that are translated into Indicators of Threats (IOT). These indicators connect contextual triggers to threshold-based monitoring activities and established courses of action, forming a reproducible and auditable relationship between foresight analysis and operational defense. The application of three illustrative cases—a banking merger, the distribution of a phishing kit in underground marketplaces, and wartime contribution scams—illustrated that contextual anticipation consistently provided quantifiable lead-time benefits varying from several days to six weeks. This proactive stance enabled measures such as registrar takedowns, targeted awareness campaigns, and anticipatory monitoring before distribution and exploitation. By formalizing CKC-0 as an integrated socio-technical phase, the research enhances cybersecurity practice by demonstrating how diffuse contextual drivers can be converted into organized, actionable mechanisms for proactive resilience.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010004

Authors: Yesem Kurt Peker Rahul Raj

Statistical confidentiality focuses on protecting data to preserve its analytical value while preventing identity exposure, ensuring privacy and security in any system handling sensitive information. Homomorphic encryption allows computations on encrypted data without revealing it to anyone other than an owner or an authorized collector. When combined with other techniques, homomorphic encryption offers an ideal solution for ensuring statistical confidentiality. TFHE (Fast Fully Homomorphic Encryption over the Torus) is a fully homomorphic encryption scheme that supports efficient homomorphic operations on Booleans and integers. Building on TFHE, Zama’s Concrete project offers an open-source compiler that translates high-level Python code (version 3.9 or higher) into secure homomorphic computations. This study examines the feasibility of the Concrete compiler to perform core statistical analyses on encrypted data. We implement traditional algorithms for core statistical measures including the mean, variance, and five-point summary on encrypted datasets. Additionally, we develop a bitonic sort implementation to support the five-point summary. All implementations are executed within the Concrete framework, leveraging its built-in optimizations. Their performance is systematically evaluated by measuring circuit complexity, programmable bootstrapping count (PBS), compilation time, and execution time. We compare these results to findings from previous studies wherever possible. The results show that the complexity of sorting and statistical computations on encrypted data with the Concrete implementation of TFHE increases rapidly, and the size and range of data that can be accommodated is small for most applications. Nevertheless, this work reinforces the theoretical promise of Fully Homomorphic Encryption (FHE) for statistical analysis and highlights a clear path forward: the development of optimized, FHE-compatible algorithms.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010003

Authors: Roland Kelemen Dorina Bosits Zsófia Réti

Online hate speech poses a growing socio-technological threat that undermines democratic resilience and obstructs progress toward Sustainable Development Goal 16 (SDG 16). This study examines the regulatory and behavioral dimensions of this phenomenon through a combined legal analysis of platform governance and an empirical survey conducted on Meta platforms, based on a sample of young Hungarians (N = 301, aged 14–34). This study focuses on Hungary as a relevant case study of a Central and Eastern European (CEE) state. Countries in this region, due to their shared historical development, face similar societal challenges that are also reflected in the online sphere. The combination of high social media penetration, a highly polarized political discourse, and the tensions between platform governance and EU law (the DSA) makes the Hungarian context particularly suitable for examining digital resilience and the legal awareness of young users. The results reveal a significant “awareness gap”: While a majority of young users can intuitively identify overt hate speech, their formal understanding of platform rules is minimal. Furthermore, their sanctioning preferences often diverge from Meta’s actual policies, indicating a lack of clarity and predictability in platform governance. This gap signals a structural weakness that erodes user trust. The legal analysis highlights the limited enforceability and opacity of content moderation mechanisms, even under the Digital Services Act (DSA) framework. The empirical findings show that current self-regulation models fail to empower users with the necessary knowledge. The contribution of this study is to empirically identify and critically reframe this ‘awareness gap’. Moving beyond a simple knowledge deficit, we argue that the gap is a symptom of a deeper legitimacy crisis in platform governance. It reflects a rational user response—manifesting as digital resignation—to opaque, commercially driven, and unaccountable moderation systems. By integrating legal and behavioral insights with critical platform studies, this paper argues that achieving SDG 16 requires a dual strategy: (1) fundamentally increasing transparency and accountability in content governance to rebuild user trust, and (2) enhancing user-centered digital and legal literacy through a shared responsibility model. Such a strategy must involve both public and private actors in a coordinated, rights-based approach. Ultimately, this study calls for policy frameworks that strengthen democratic resilience not only through better regulation, but by empowering citizens to become active participants—rather than passive subjects—in the governance of online spaces.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010002

Authors: Rafael Borges Bruno Ferreira Carlos Machado Antunes Marisa Maximiano Ricardo Gomes Vítor Távora Manuel Dias Ricardo Correia Bezerra Patrício Domingues

The increasing volume of digital medical data offers substantial research opportunities, though its complete utilization is hindered by ongoing privacy and security obstacles. This proof-of-concept study explores and confirms the viability of using Secure Multi-Party Computation (SMPC) to ensure protection and integrity of sensitive patient data, allowing the construction of clinical trial cohorts. Our findings reveal that SMPC facilitates collaborative data analysis on distributed, private datasets with negligible computational costs and optimized data partition sizes. The established architecture incorporates patient information via a blockchain-based decentralized healthcare platform and employs the MPyC library in Python for secure computations on Fast Healthcare Interoperability Resources (FHIR)-format data. The outcomes affirm SMPC’s capacity to maintain patient privacy during cohort formation, with minimal overhead. It illustrates the potential of SMPC-based methodologies to expand access to medical research data. A key contribution of this work is eliminating the need for complex cryptographic key management while maintaining patient privacy, illustrating the potential of SMPC-based methodologies to expand access to medical research data by reducing implementation barriers.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp6010001

Authors: Suchart Khummanee Thanapat Cheawchanwattana Chanwit Suwannapong Sarutte Atsawaraungsuk Kritsanapong Somsuk

This study proposes the Huffman Tree and Binary Conversion (HTB) which is a preprocessing algorithm to transform the Huffman tree into binary representation before the encryption process. In fact, HTB can improve the structural readiness of plaintext by combining the Huffman code with a deterministic binary representation of the Huffman tree. In addition, binary representation of the Huffman tree and the compressed information will be encrypted by standard cryptographic algorithms. Six datasets, divided into two groups (short and long texts), were chosen to evaluate compression behavior and the processing cost. Moreover, AES and RSA are chosen to combine with the proposed method to analyze the encryption and decryption cycles. The experimental results show that HTB introduces a small linear-time overhead. That means, it is slightly slower than applying only the Huffman code. Across these datasets, HTB maintained a consistently low processing cost. The processing time is below one millisecond in both encoding and decoding processes. However, for long texts, the structural conversion cost becomes amortized across larger encoded messages, and the reduction in plaintext size leads to fewer encryption blocks for both AES and RSA. The reduced plaintext size lowers the number of AES encryption blocks by approximately 30–45% and decreases the number of encryption and decryption rounds in RSA. The encrypted binary representation of the Huffman tree also decreased structural ambiguity and reduced the potential exposure of frequency-related metadata. Although HTB does not replace cryptographic security, it enhances the structural consistency of compression. Therefore, the proposed method demonstrates scalability, predictable overhead, and improved suitability for cryptographic workflows.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040113

Authors: Ali Abdu M Dighriri Sarvjeet Kaur Chatrath Masoud Mohammadian

High cybersecurity risks and attacks cause information theft, unauthorized access to data and information, reputational damage, and financial loss in small and medium enterprises (SMEs). This creates a need to adopt information security systems of SMEs through innovation and compliance with information security policies. This study seeks to develop an integrated research model assessing the adoption of InfoSec systems in SMEs based on three existing theories, namely the technology acceptance model (TAM), theory of reasoned action (TRA), and unified theory of acceptance and use of technology (UTAUT). A thorough review of literature identified prior experience, enjoyment of new InfoSec technology, top management support, IT infrastructure, security training, legal-governmental regulations, and attitude as potential determinants of adoption of InfoSec systems. A self-developed and self-administered questionnaire was distributed to 418 employees, mid-level managers, and top-level managers working in SMEs operating in Riyadh, Saudi Arabia. The study found that prior experience, top management support, IT infrastructure, security training, and legal-governmental regulations have a positive impact on attitude toward InfoSec systems, which in turn positively influences the adoption of InfoSec systems. Gender, education, and occupation significantly moderated the impact of some determinants on attitude and, consequently, adoption of InfoSec systems. Such an integrated framework offers actionable insights and recommendations, including enhancing information security awareness and compliance with information security policies, as well as increasing profitability within SMEs. The study findings make considerable theoretical contributions to the development of knowledge and deliver practical contributions towards the status of SMEs in Saudi Arabia.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040112

Authors: Humera Ghani Shahram Salekzamankhani Bal Virdee

The rapid expansion of Internet of Things (IoT) technologies has introduced significant challenges in understanding the complexity and structure of network traffic data, which is essential for developing effective cybersecurity solutions. This research presents a comprehensive statistical and multivariate analysis of the IoT-23 dataset to identify meaningful network traffic patterns and assess the effectiveness of various analytical methods for IoT security research. The study applies descriptive statistics, inferential analysis, and multivariate techniques, including Principal Component Analysis (PCA), DBSCAN clustering, and factor analysis (FA), to the publicly available IoT-23 dataset. Descriptive analysis reveals clear evidence of non-normal distributions: for example, the features src_bytes, dst_bytes, and src_pkts have skewness values of −4.21, −3.87, and −2.98, and kurtosis values of 38.45, 29.67, and 18.23, respectively. These values indicate highly skewed, heavy-tailed distributions with frequent outliers. Correlation analysis revealed a strong positive correlation (0.97) between orig_bytes and resp_bytes, and a strong negative correlation (−0.76) between duration and resp_bytes, while inferential statistics indicate that linear regression provides optimal modeling of data relationships. Key findings show that PCA is highly effective, capturing 99% of the dataset’s variance and enabling significant dimensionality reduction. DBSCAN clustering identifies six distinct clusters, highlighting diverse network traffic behaviors within IoT environments. In contrast, FA explains only 11.63% of the variance, indicating limited suitability for this dataset. These results establish important benchmarks for future IoT cybersecurity research and demonstrate the superior effectiveness of PCA and DBSCAN for analyzing complex IoT network traffic data. The findings offer practical guidance for researchers in selecting appropriate statistical methods for IoT dataset analysis, ultimately supporting the development of more robust cybersecurity solutions.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040111

Authors: Chris Y. T. Ma

Smart phones have become an integral part of our lives in modern society, as we carry and use them throughout a day. However, this “body part” may maliciously collect and leak our personal information without our knowledge. When we install mobile applications on our smart phones and grant their permission requests, these apps can use sensors embedded in the smart phones and the stored data to gather and infer our personal information, preferences, and habits. In this paper, we present our preliminary results on quantifying the privacy risk of mobile applications by assessing whether requested permissions are necessary based on app descriptions through textual entailment decided by language models (LMs). We observe that despite incorporating various improvements of LMs proposed in the literature for natural language processing (NLP) tasks, the performance of the trained model remains far from ideal.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040110

Authors: Kamel Alrashedy Abdullah Aljasser Pradyumna Tambwekar Matthew Gombolay

Large language models (LLMs) have shown remarkable potential for automatic code generation. Yet, these models share a weakness with their human counterparts: inadvertently generating code with security vulnerabilities that could allow unauthorized attackers to access sensitive data or systems. In this work, we propose Feedback-Driven Security Patching (FDSP), wherein LLMs automatically refine vulnerable generated code. The key to our approach is a unique framework that leverages automatic static code analysis to enable the LLM to create and implement potential solutions to code vulnerabilities. Further, we curate a novel benchmark, PythonSecurityEval, that can accelerate progress in the field of code generation by covering diverse, real-world applications, including databases, websites, and operating systems. Our proposed FDSP approach achieves the strongest improvements, reducing vulnerabilities by up to 33% when evaluated with Bandit and 12% with CodeQL and outperforming baseline refinement methods.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040109

Authors: Saleh J. Makkawy Michael J. De Lucia Kenneth E. Barner

As technology advances, developers continually create innovative solutions to enhance smartphone security. However, the rapid spread of Android malware poses significant threats to devices and sensitive data. The Android Operating System (OS)’s open-source nature and Software Development Kit (SDK) availability mainly contribute to this alarming growth. Conventional malware detection methods, such as signature-based, static, and dynamic analysis, face challenges in detecting obfuscated techniques, including encryption, packing, and compression, in malware. Although developers have created several visualization techniques for malware detection using deep learning (DL), they often fail to accurately identify the critical malicious features of malware. This research introduces MalVis, a unified visualization framework that integrates entropy and N-gram analysis to emphasize meaningful structural and anomalous operational patterns within the malware bytecode. By addressing significant limitations of existing visualization methods, such as insufficient feature representation, limited interpretability, small dataset sizes, and restricted data access, MalVis delivers enhanced detection capabilities, particularly for obfuscated and previously unseen (zero-day) malware. The framework leverages the MalVis dataset introduced in this work, a publicly available large-scale dataset comprising more than 1.3 million visual representations in nine malware classes and one benign class. A comprehensive comparative evaluation was performed against existing state-of-the-art visualization techniques using leading convolutional neural network (CNN) architectures, MobileNet-V2, DenseNet201, ResNet50, VGG16, and Inception-V3. To further boost classification performance and mitigate overfitting, the outputs of these models were combined using eight distinct ensemble strategies. To address the issue of imbalanced class distribution in the multiclass dataset, we employed an undersampling technique to ensure balanced learning across all types of malware. MalVis achieved superior results, with 95% accuracy, 90% F1-score, 92% precision, 89% recall, 87% Matthews Correlation Coefficient (MCC), and 98% Receiver Operating Characteristic Area Under Curve (ROC-AUC). These findings highlight the effectiveness of MalVis in providing interpretable and accurate representation features for malware detection and classification, making it valuable for research and real-world security applications.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040108

Authors: Dudi Biton Jacob Shams Satoru Koda Asaf Shabtai Yuval Elovici Ben Nassi

The traditional process for learning patch-based adversarial attacks, conducted in the digital domain and later applied in the physical domain (e.g., via printed stickers), may suffer reduced performance due to adversarial patches’ limited transferability between domains. Given that previous studies have considered using film projectors to apply adversarial attacks, we ask: Can adversarial learning (i.e., patch generation) be performed entirely in the physical domain using a film projector? In this work, we propose the Physical-domain Adversarial Patch Learning Augmentation (PAPLA) framework, a novel end-to-end (E2E) framework that shifts adversarial learning from the digital domain to the physical domain using a film projector. We evaluate PAPLA in scenarios, including controlled laboratory and realistic outdoor settings, demonstrating its ability to ensure attack success compared to conventional digital learning–physical application (DL-PA) methods. We also analyze how environmental factors such as projection surface color, projector strength, ambient light, distance, and the target object’s angle relative to the camera affect patch effectiveness. Finally, we demonstrate the feasibility of the attack against a parked car and a stop sign in a real-world outdoor environment. Our results show that under specific conditions, E2E adversarial learning in the physical domain eliminates transferability issues and ensures evasion of object detectors. We also discuss the challenges and opportunities of adversarial learning in the physical domain and identify where this approach is more effective than using a sticker.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040107

Authors: Ioannis Fragkiadakis Stefanos Gritzalis Costas Lambrinoudakis

Privacy enhancement technologies are significant in the development of digital payment systems. At present, multiple innovative digital payment solutions have been introduced and may be implemented globally soon. As cyber threats continue to increase in complexity, security is a crucial factor to consider before adopting any technology. In addition to prioritizing security in the development of digital payment systems, it is essential to address user privacy concerns. Modern digital payment solutions offer numerous advantages over traditional systems; however, they also introduce new considerations that must be accounted for during implementation. These considerations go beyond legislative requirements and encompass new payment methods, including transactions made through mobile devices regardless of internet connectivity. A range of regulations and guidelines exist to ensure user privacy in financial transactions, with the General Data Protection Regulation (GDPR) being particularly notable, while technical reports have thoroughly examined the differences between various privacy-enhancing technologies. Additionally, it is important to note that all legal payment systems are required to maintain information for audit purposes. This paper introduces a comprehensive framework that integrates all critical considerations for selecting appropriate privacy enhancement technologies within digital payment systems, while it utilizes a detailed scoring system designed for convenience and adaptability, allowing it to be employed for purposes such as auditing. Thus, the proposed scoring framework integrates security, GDPR compliance, audit, privacy-preserving technical measures, and operational constraints to assess privacy technologies for digital payments.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040106

Authors: Colman McGuan Aadithyan Vijaya Raghavan Komala M. Mandapati Chansu Yu Brian E. Ray Debbie K. Jackson Sathish Kumar

In an increasingly interconnected world, cybersecurity professionals play a pivotal role in safeguarding organizations from cyber threats. To secure their cyberspace, organizations are forced to adopt a cybersecurity framework such as the NIST National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity (NICE Framework). Although these frameworks are a good starting point for businesses and offer critical information to identify, prevent, and respond to cyber incidents, they can be difficult to navigate and implement, particularly for small-medium businesses (SMBs). To help overcome this issue, this paper identifies the most frequent attack vectors to SMBs (Objective 1) and proposes a practical model of both technical and non-technical tasks, knowledge, skills, abilities (TKSA) from the NICE Framework for those attacks (Objective 2). This research develops a scenario-based curriculum. By immersing learners in realistic cyber threat scenarios, their practical understanding and preparedness in responding to cybersecurity incidents is enhanced (Objective 3). Finally, this work integrates practical experience and real-life skill development into the curriculum (Objective 4). SMBs can use the model as a guide to evaluate, equip their existing workforce, or assist in hiring new employees. In addition, educational institutions can use the model to develop scenario-based learning modules to adequately equip the emerging cybersecurity workforce for SMBs. Trainees will have the opportunity to practice both technical and legal issues in a simulated environment, thereby strengthening their ability to identify, mitigate, and respond to cyber threats effectively. We piloted these learning modules as a semester-long course titled “Hack Lab” for both Computer Science (CS) and Law students at CSU during Spring 2024 and Spring 2025. According to the self-assessment survey by the end of the semester, students demonstrated substantial gains in confidence across four key competencies (identifying vulnerabilities and using tools, applying cybersecurity laws, recognizing steps in incident response, and explaining organizational response preparation) with an average improvement of +2.8 on a 1–5 scale. Separately, overall course evaluations averaged 4.4 for CS students and 4.0 for Law students, respectively, on a 1–5 scale (college average is 4.21 and 4.19, respectively). Law students reported that hands-on labs were difficult, although they were the most impactful experience. They demonstrated a notable improvement in identifying vulnerabilities and understanding response processes.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040105

Authors: Mehrnoush Vaseghipanah Sam Jabbehdari Hamidreza Navidi

Small and Medium-sized Enterprises (SMEs) face disproportionately high risks from Advanced Persistent Threats (APTs), which often evade traditional cybersecurity measures. Existing frameworks catalogue adversary tactics and defensive solutions but provide limited quantitative guidance for allocating limited resources under uncertainty, a challenge amplified by the growing use of AI in both offensive operations and digital forensics. This paper proposes a game-theoretic model for improving digital forensic readiness (DFR) in SMEs. The approach integrates the MITRE ATT&CK and D3FEND frameworks to map APT behaviors to defensive countermeasures and defines 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to derive utility functions for both attackers and defenders. The main analysis considers a non-zero-sum attacker–defender bimatrix game and yields a single Nash equilibrium in which the attacker concentrates on Impact-oriented tactics and the defender on Detect-focused controls. In a synthetic calibration across ten organizational profiles, the framework achieves a median readiness improvement of 18.0% (95% confidence interval: 16.3% to 19.7%) relative to pre-framework baselines, with targeted improvements in logging and forensic preservation typically reducing key attacker utility components by around 15–30%. A zero-sum variant of the game is also analyzed as a robustness check and exhibits consistent tactical themes, but all policy conclusions are drawn from the empirical non-zero-sum model. Despite relying on expert-driven AHP weights and synthetic profiles, the framework offers SMEs actionable, equilibrium-informed guidance for strengthening forensic preparedness against advanced cyber threats.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040104

Authors: Mahmudul Haque A. S. M. Hossain Bari Marina L. Gavrilova

The widespread dissemination of misleading news presents serious challenges to public discourse, democratic institutions, and societal trust. Misleading-news classification (MNC) has been extensively studied through deep neural models that rely mainly on semantic understanding or large-scale pretrained language models. However, these methods often lack interpretability and are computationally expensive, limiting their practical use in real-time or resource-constrained environments. Existing approaches can be broadly categorized into transformer-based text encoders, hybrid CNN–LSTM frameworks, and fuzzy-logic fusion networks. To advance research on MNC, this study presents a lightweight multimodal framework that extends the Fuzzy Deep Hybrid Network (FDHN) paradigm by introducing a linguistic and behavioral biometric perspective to MNC. We reinterpret the FDHN architecture to incorporate linguistic cues such as lexical diversity, subjectivity, and contradiction scores as behavioral signatures of deception. These features are processed and fused with semantic embeddings, resulting in a model that captures both what is written and how it is written. The design of the proposed method ensures the trade-off between feature complexity and model generalizability. Experimental results demonstrate that the inclusion of lightweight linguistic and behavioral biometric features significantly enhance model performance, yielding a test accuracy of 71.91 ± 0.23% and a macro F1 score of 71.17 ± 0.26%, outperforming the state-of-the-art method. The findings of the study underscore the utility of stylistic and affective cues in MNC while highlighting the need for model simplicity to maintain robustness and adaptability.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040103

Authors: Kong Phang Jihene Kaabi

Privacy harms have expanded alongside rapid technological change, challenging the adequacy of existing regulatory frameworks. This systematic review (1990–2025) systematically maps documented privacy harms to specific legal mechanisms and observed enforcement outcomes across jurisdictions, using PRISMA-guided methods and ROBIS risk-of-bias assessment. We synthesize evidence on major regimes (e.g., GDPR, COPPA, CCPA, HIPAA, GLBA) and conduct comparative legal analysis across the U.S., E.U., and underexplored regions in Asia, Latin America, and Africa. Key findings indicate increased recognition of data subject rights, persistent gaps in cross-border data governance, and emerging risks from AI/ML/LLMs, IoT, and blockchain, including data breaches, algorithmic discrimination, and surveillance. While regulations have advanced, enforcement variability and fragmented standards limit effectiveness. We propose strategies for harmonization and risk-based, technology-neutral safeguards. While focusing on the U.S. sectoral and E.U. comprehensive models, we include targeted comparisons with Canada (PIPEDA), Australia (Privacy Act/APPs), Japan (APPI), India (DPDPA), Africa (POPIA/NDPR/Kenya DPA), and ASEAN interoperability instruments. This review presents an evidence-based framework for understanding the interplay between evolving harms, emerging technologies, and legal protections, and identifies priorities for strengthening global privacy governance.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040102

Authors: Miriam L. Munoz Muhammad F. Islam

Phishing attacks, particularly Smishing (SMS phishing), have become a major cybersecurity threat, with attackers using social engineering tactics to take advantage of human vulnerabilities. Traditional detection models often struggle to keep up with the evolving sophistication of these attacks, especially on devices with constrained computational resources. This research proposes a chain transformer model that integrates GPT-2 for synthetic data generation and BERT for embeddings to detect Smishing within a multiclass dataset, including minority smishing variants. By utilizing compact, open-source transformer models designed to balance accuracy and efficiency, this study explores improved detection of phishing threats on text-based platforms. Experimental results demonstrate an accuracy rate exceeding 97% in detecting phishing attacks across multiple categories. The proposed chained transformer model achieved an F1-score of 0.97, precision of 0.98, and recall of 0.96, indicating strong overall performance.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040101

Authors: William Walter Finch Marya Butt

This review examines AI governance centered on Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (the EU Artificial Intelligence Act), alongside comparable instruments (ISO/IEC 42001, NIST AI RMF, OECD Principles, ALTAI). Using a hybrid systematic–scoping method, it maps obligations across actor roles and risk tiers, with particular attention to low-capacity actors, especially SMEs and public authorities. Across the surveyed literature, persistent gaps emerge in enforceability, proportionality, and auditability, compounded by frictions between the AI Act and GDPR and fragmented accountability along the value chain. Rather than introducing a formal model, this paper develops a conceptual lens—compliance asymmetry—to interrogate the structural frictions between regulatory ambition and institutional capacity. This framing enables the identification of normative and operational gaps that must be addressed in future model design.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040100

Authors: Carlos Varela Enríquez Renato Toasa Maryory Urdaneta

This article analyzes how artificial intelligence (AI) is influencing the evolution of cybercrime in Ecuador. The use of AI tools to create new threats, such as intelligent malware, automated phishing, and financial fraud, is on the rise. The main problem is the increasing sophistication of AI-driven cyberattacks and the limited preventive response capacity in Ecuador. In Ecuador, cybercrime rose by more than 7% in 2024 compared to 2023, and by nearly 130% between 2020 and 2021. This research focuses on exploring mitigation strategies based on international frameworks such as NIST and ISO, as well as developing measures through training and knowledge transfer. The results obtained are expected to help identify the main trends in AI-driven cyberthreats and propose a set of technical, legal, and training measures to strengthen public and private institutions in Ecuador. It is important to emphasize that the implementation of international standards, national policies, and specialized training is essential to address emerging cybersecurity risks in Ecuador.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040099

Authors: Angélica Pigola Fernando de Souza Meirelles

This study examines the adoption and implementation of the Zero Trust (ZT) cybersecurity paradigm using the Technology–Organization–Environment (TOE) framework. While ZT is gaining traction as a security model, many organizations struggle to align strategic intent with effective implementation. We adopted a sequential mixed-methods design combining 27 semi-structured interviews with cybersecurity professionals and a survey of 267 experts across industries. The qualitative phase used an inductive approach to identify organizational challenges, whereas the quantitative phase employed Partial Least Squares Structural Equation Modeling (PLS-SEM) to test the hypothesized relationships. Results show that information security culture and investment significantly influence both strategic alignment and the technical implementation of ZT. Implementation acted as an intermediary mechanism through which these organizational factors affected governance and compliance outcomes. Strategic commitment alone was insufficient to drive effective implementation without strong cultural support. Qualitative insights underscored the importance of leadership engagement, cross-functional collaboration, and legacy infrastructure readiness in shaping outcomes. The findings emphasize the need for cultural alignment, targeted investments, and process maturity to ensure successful ZT adoption. Organizations can leverage these insights to prioritize resources, strengthen governance, and reduce implementation friction. This research is among the first to empirically investigate ZT implementation through the TOE lens. It contributes to cybersecurity management literature by integrating strategic, cultural, and operational dimensions of ZT adoption and offers practical guidance for decision-makers seeking to institutionalize Zero Trust principles.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040098

Authors: Maria-Mădălina Andronache Alexandru Vulpe Corneliu Burileanu

Malware remains one of the most persistent and evolving threats to cybersecurity, necessitating robust analysis techniques to understand and mitigate its impact. This study presents a comprehensive analysis of selected malware samples using both static and dynamic analysis techniques. In the static phase, file structure, embedded strings, and code signatures were examined, while in the dynamic analysis phase, the malware was executed in a virtual sandbox environment to observe process creation, network communication, and file system changes. By combining these two approaches, various types of malware files could be characterized and have their key elements revealed. This improved the understanding of the code capabilities and evasive behaviors of malicious files. The goal of these analyses was to create a database of malware profiling tools and tools that can be utilized to identify and analyze malware. The results demonstrate that integrating static and dynamic methodologies improves the accuracy of malware profiling and supports more effective threat detection and incident response strategies.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040097

Authors: Konstantina Mentzelou Panos T. Chountalas Fotis C. Kitsios Anastasios I. Magoutas Thomas K. Dasaklis

The implementation of the NIS2 Directive expands the scope of cybersecurity regulation across the European Union, placing new demands on both essential and important entities. Despite its importance, organizations face multiple barriers that undermine compliance, including lack of awareness, technical complexity, financial constraints, and regulatory uncertainty. This study identifies and models these barriers to provide a clearer view of the systemic challenges of NIS2 implementation. Building on a structured literature review, fourteen barriers were defined and validated through expert input. The Decision-Making Trial and Evaluation Laboratory (DEMATEL) method was then applied to examine their interdependencies and to map causal relationships. The analysis highlights lack of awareness and the evolving threat landscape as key drivers (i.e., causal factors) that reinforce each other. Technical complexity and financial constraints act as mediators transmitting the influence of these causal factors toward operational and governance failures. Operational disruptions, high reporting costs, and inadequate risk assessment emerge as the most dependent outcomes (i.e., effect factors), absorbing the impact of the driving and mediating factors. The findings suggest that interventions targeted at awareness-building, resource allocation, and risk management capacity have the greatest leverage for improving compliance and resilience. By clarifying the cause-and-effect dynamics among barriers, this study supports policymakers and managers in designing more effective strategies for NIS2 implementation and contributes to current debates on cybersecurity governance in critical infrastructures.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040096

Authors: Sarah Alhuwayshil Sundaresan Ramachandran Kyounggon Kim

Ransomware attacks pose a serious threat to computer networks, causing widespread disruption to individual, corporate, governmental, and critical national infrastructures. To mitigate their impact, extensive research has been conducted to analyze ransomware operations. However, most prior studies have focused on decryption, post-infection response, or general family-level classification for performance evaluation, with limited attention to linking classification accuracy to each family’s threat level and behavioral patterns. In this study, we propose a classification framework for the most dangerous ransomware families targeting Windows systems, correlating model performance with defined threat levels (high, medium, and low) based on API call patterns. Two independent datasets were used, extracted from VirusTotal and Cuckoo Sandbox, and a cross-source evaluation strategy was applied, alternating training and testing roles between datasets to assess generalization ability and minimize source bias. The results show that the proposed approach, particularly when using XGBoost and LightGBM, achieved accuracy rates ranging from 84 to 100% across datasets. These findings confirm the effectiveness of our method in accurately classifying ransomware families while accounting for their severity and behavioral characteristics.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040095

Authors: Siddhant Srinivas Brandon Kirk Julissa Zendejas Michael Espino Matthew Boskovich Abdul Bari Khalil Dajani Nabeel Alzahrani

The increasing volume, velocity, and sophistication of cyber threats have placed immense pressure on modern Security Operations Centers (SOCs). Traditional rule-based and manual processes are proving insufficient, leading to alert fatigue, delayed responses, high false-positive rates, analyst dependency, and escalating operational costs. Recent advancements in Artificial Intelligence (AI) offer new opportunities to transform SOC workflows through automation and augmentation. Large Language Models (LLMs) and autonomous AI agents have shown strong potential in enhancing capabilities such as log summarization, alert triage, threat intelligence, incident response, report generation, asset discovery, and vulnerability management. This paper reviews recent developments in the application of LLMs and AI agents across these SOC functions, introducing a taxonomy that organizes their roles and capabilities within operational pipelines. While these technologies improve detection accuracy, response time, and analyst support, challenges persist, including model interpretability, adversarial robustness, integration with legacy systems, and the risk of hallucinations or data leakage. A detailed capability-maturity model outlines the levels of integration with SOC tasks. This survey synthesizes trends, identifies persistent limitations, and outlines future directions for trustworthy, explainable, and safe AI integration in SOC environments.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040094

Authors: Amanul Islam Sourav Purification Sang-Yoon Chang

Mobile networking in 4G and 5G remains vulnerable against fake base stations. A fake base station can inject and manipulate the radio resource control (RRC) communication protocol to disable the user equipment’s connectivity. To motivate our research, we empirically show that such a fake base station can cause an indefinite hold of the user equipment’s connectivity using our fake base station prototype against an off-the-shelf phone. To defend against such threat, we design and build an anomaly detection system to detect the fake base station threats. It detects any base station’s deviations from the 4G/5G RRC protocol, which supports both the connectivity provision case (all works well and the user receives connectivity) and the connection-release case (cannot provide connectivity at the time and thus releases connections). Our scheme based on unsupervised machine learning dynamically and automatically controls and sets the detection parameters, which vary with mobility and the communication channel, and utilizes greater information to improve its effectiveness. Using software-defined radios and srsRAN, we implement a prototype of our scheme from sensing to data collection to machine-learning-based detection processing. Our empirical evaluations demonstrate the detection effectiveness and adaptability; i.e., our scheme accurately detects fake base stations deviating from the set protocol in mobile scenarios by adapting its model parameters. Our scheme achieves 100% accuracy in static scenarios against the fake base station threats. If the dynamic control is disabled, i.e., not adapting to mobility and different channel environments, the accuracy drops to 65–76%, but our scheme adjusts the model via dynamic training to recover to 100% accuracy.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040093

Authors: Diana Carbone Francesco Marcatto Francesca Mistichelli Donatella Ferrante

The rapid digitalization of work and daily life has introduced a wide range of online threats, from common hazards such as malware and phishing to emerging challenges posed by artificial intelligence (AI). While technical aspects of cybersecurity have received extensive attention, less is known about how individuals perceive digital risks and how these perceptions shape protective behaviors. Building on the psychometric paradigm, this study investigated the perception of seven digital threats among a sample of 300 Italian workers employed in IT and non-IT sectors. Participants rated each hazard on dread and unknown risk dimensions and reported their cybersecurity expertise. Optimism bias and proactive awareness were also detected. Cluster analyses revealed four profiles based on different levels of dread and unknown risk ratings. The four profiles also differed in reported levels of expertise, optimism bias, and proactive awareness. Notably, AI was perceived as the least familiar and most uncertain hazard across groups, underscoring its salience in shaping digital risk perceptions. These findings highlight the heterogeneity of digital risk perception and suggest that tailored communication and training strategies, rather than one-size-fits-all approaches, are essential to fostering safer online practices.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040092

Authors: Evangelia Daskalaki Emmanouela Kokolaki Paraskevi Fragopoulou

Hashes are vital in limiting the spread of child sexual abuse material online, yet their use introduces unresolved technical, legal, and ethical challenges. This paper bridges a critical gap by analyzing both cryptographic and perceptual hashing, not only in terms of detection capabilities, but also their vulnerabilities and implications for privacy governance. Unlike prior work, it reframes CSAM detection as a multidimensional issue, at the intersection of cybersecurity, data protection law, and digital ethics. Three key contributions are made: first, a comparative evaluation of hashing techniques, revealing weaknesses, such as susceptibility to media edits, collision attacks, hash inversion, and data leakage; second, a call for standardized benchmarks and interoperable evaluation protocols to assess system robustness; and third, a legal argument that perceptual hashes qualify as personal data under EU law, with implications for transparency and accountability. Ethically, the paper underscores the tension faced by service providers in balancing user privacy with the duty to detect CSAM. It advocates for detection systems that are not only technically sound, but also legally defensible and ethically governed. By integrating technical analysis with legal insight, this paper offers a comprehensive framework for evaluating CSAM detection, within the broader context of digital safety and privacy.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040091

Authors: Taiwo Oladipupo Ayodele

Email continues to serve as a primary vector for cyber-attacks, with phishing, spoofing, and polymorphic malware evolving rapidly to evade traditional defences. Conventional email security systems, often reliant on static, signature-based detection struggle to identify zero-day exploits and protect user privacy in increasingly data-driven environments. This paper introduces TwinGuard, a privacy-preserving framework that leverages digital twin technology to enable adaptive, personalised email threat detection. TwinGuard constructs dynamic behavioural models tailored to individual email ecosystems, facilitating proactive threat simulation and anomaly detection without accessing raw message content. The system integrates a BERT–LSTM hybrid for semantic and temporal profiling, alongside federated learning, secure multi-party computation (SMPC), and differential privacy to enable collaborative intelligence while preserving confidentiality. Empirical evaluations were conducted using both synthetic AI-generated email datasets and real-world datasets sourced from Hugging Face and Kaggle. TwinGuard achieved 98% accuracy, 97% precision, and a false positive rate of 3%, outperforming conventional detection methods. The framework offers a scalable, regulation-compliant solution that balances security efficacy with strong privacy protection in modern email ecosystems.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040090

Authors: Deepak Kumar Priyanka Pramod Pawar Santosh Reddy Addula Mohan Kumar Meesala Oludotun Oni Qasim Naveed Cheema Anwar Ul Haq Guna Sekhar Sajja

The rapid expansion of the Internet of Things (IoT) has introduced new vulnerabilities that traditional security mechanisms often fail to address effectively. Signature-based intrusion detection systems cannot adapt to zero-day attacks, while rule-based solutions lack scalability for the diverse and high-volume traffic in IoT environments. To strengthen the security framework for IoT, this paper proposes a deep learning-based anomaly detection approach that integrates Convolutional Neural Networks (CNNs) and Bidirectional Gated Recurrent Units (BiGRUs). The model is further optimized using the Moth–Flame Optimization (MFO) algorithm for automated hyperparameter tuning. To mitigate class imbalance in benchmark datasets, we employ Generative Adversarial Networks (GANs) for synthetic sample generation alongside Z-score normalization. The proposed CNN–BiGRU + MFO framework is evaluated on two widely used datasets, UNSW-NB15 and UCI SECOM. Experimental results demonstrate superior performance compared to several baseline deep learning models, achieving improvements across accuracy, precision, recall, F1-score, and ROC–AUC. These findings highlight the potential of combining hybrid deep learning architectures with evolutionary optimization for effective and generalizable intrusion detection in IoT systems.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040089

Authors: Ruhunage Panchali Dias Zazli Lily Wisker Noor H. S. Alani

Digital banking has become part of everyday life in Aotearoa–New Zealand, offering convenience but also raising questions of trust, security, and long-term commitment. This study examines how service quality, security and privacy, user experience, emotional attachment, and perceived risk shape customer trust and commitment in digital banking platforms. Trust is positioned as a key mediating factor, guided by the Technology Acceptance Model, Commitment–Trust Theory, Service Quality Theory, and Perceived Risk Theory. An online survey of 111 digital banking users from diverse backgrounds was conducted, and Hayes’s PROCESS Model 4 was applied to test both direct and indirect relationships. The results show that security/privacy and emotional attachment are the strongest predictors of commitment, while service quality and user experience contribute indirectly through trust. This study adds three contributions. First, it explains customer commitment rather than intention. Second, it compares the indirect paths through trust from service quality, security and privacy, user experience, and emotional attachment within one model using bias corrected bootstrap confidence intervals. Third, in a sample with many experienced users, perceived risk shows no indirect effect, which suggests a boundary condition for risk focused models.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040088

Authors: Michael Herbert Ziegler Mariusz Nowostawski Basel Katt

This paper introduces a novel similarity measure to link transactions which spend outputs of CoinJoin transactions, CoinJoin Spending Transactions (CSTs), by analyzing their on-chain properties, addressing the challenge of preserving user privacy in blockchain systems. Despite the adoption of privacy-enhancing techniques like CoinJoin, users remain vulnerable to transaction linkage through shared output patterns. The proposed method leverages timestamp analysis of mixed outputs and employs a one-sided Chamfer distance to quantify similarities between CSTs, enabling the identification of transactions associated with the same user. The approach is evaluated across three major CoinJoin implementations (Dash, Whirlpool, and Wasabi 2.0) demonstrating its effectiveness in detecting linked CSTs. Additionally, the work improves transaction classification rules for Wasabi 2.0 by introducing criteria for uncommon denomination outputs, reducing false positives. Results show that multiple CSTs spending shared CoinJoin outputs are prevalent, highlighting the practical significance of the similarity measure. The findings underscore the ongoing privacy risks posed by transaction linkage, even within privacy-focused protocols. This work contributes to the understanding of CoinJoin’s limitations and offers insights for developing more robust privacy mechanisms in decentralized systems. To the authors knowledge this is the first work analyzing the linkage between CSTs.

Journal of Cybersecurity and Privacy doi: 10.3390/jcp5040087

Authors: Dan Xu Iqbal Gondal Xun Yi Teo Susnjak Paul Watters Timothy R. McIntosh

Generative artificial intelligence (AI) and persistent empirical gaps are reshaping the cyber threat landscape faster than Zero-Trust Architecture (ZTA) research can respond. We reviewed 10 recent ZTA surveys and 136 primary studies (2022–2024) and found that 98% provided only partial or no real-world validation, leaving several core controls largely untested. Our critique, therefore, proceeds on two axes: first, mainstream ZTA research is empirically under-powered and operationally unproven; second, generative-AI attacks exploit these very weaknesses, accelerating policy bypass and detection failure. To expose this compounding risk, we contribute the Cyber Fraud Kill Chain (CFKC), a seven-stage attacker model (target identification, preparation, engagement, deception, execution, monetization, and cover-up) that maps specific generative techniques to NIST SP 800-207 components they erode. The CFKC highlights how synthetic identities, context manipulation and adversarial telemetry drive up false-negative rates, extend dwell time, and sidestep audit trails, thereby undermining the Zero-Trust principles of verify explicitly and assume breach. Existing guidance offers no systematic countermeasures for AI-scaled attacks, and that compliance regimes struggle to audit content that AI can mutate on demand. Finally, we outline research directions for adaptive, evidence-driven ZTA, and we argue that incremental extensions of current ZTA that are insufficient; only a generative-AI-aware redesign will sustain defensive parity in the coming threat cycle.