Explore the vast range of titles available.

Although information made public after a data breach can provide insight into difficult research questions, use of these data raises ethical questions not directly addressed by current ethical guidelines. This article develops a framework for identifying and managing risks to human subjects when conducting research involving leaked data. We contend that researchers who seek to use leaked data should identify and address ethical challenges by considering the process through which the data were originally released into the public domain.

Growing dependence on cyberspace for commerce, communication, governance, and military operations has left society vulnerable to a multitude of security threats. Mitigating the inherent risks associated with the use of cyberspace poses a series of thorny public policy problems. In this volume, academics, practitioners from both private sector and government, along with former service members come together to highlight sixteen of the most pressing contemporary challenges in cybersecurity, and to offer recommendations for the future. As internet connectivity continues to spread, this book will offer readers greater awareness of the threats of tomorrow—and serve to inform public debate into the next information age. Contributions by Adrienne Allen, Aaron Brantly, Lauren Boas Hayes, Jane Chong, Joshua Corman, Honorable Richard J. Danzig, Kat Dransfield, Ryan Ellis, Mailyn Fidler, Allan Friedman, Taylor Grossman, Richard M. Harrison, Trey Herr, Drew Herrick, Jonah F. Hill, Robert M. Lee, Herbert S. Lin, Anastasia Mark, Robert Morgus, Paul Ohm, Eric Ormes, Jason Rivera, Sasha Romanosky, Paul Rosenzweig, Matthew Russell, Nathaniel Tisa, Abraham Wagner, Rand Waltzman, David Weinstein, Heather West, and Beau Woods.

This dissertation explores the dynamic of control between politics and technology, looking at three particular facets – assimilation, restriction, and standardization – as examples of the evolving relationship between the state and information security. Chapter 1 looks at the process of assimilation as the state attempts to use information security toward its own ends. Critiquing contemporary arguments on the presence of an offensive advantage in information security, this chapter breaks open the previously black boxed process of developing and deploying offensive capabilities by the state. Particularly, it examines how the software development process impacts, and often limits, the state’s ability to employ malicious tools especially in lieu of conventional alternatives like precision guided bombs. Advancing the argument that there is substantial complexity in the offensive process, the chapter concludes that existing assumptions for ease of use and the likelihood of rapid escalation prevalent in literature on the topic are exaggerated owing to the challenges in assimilating and employing information security tools in a conflict environment. Chapter 2 takes up the question of control through restriction, explaining the repeated use of export controls to regulate the diffusion of information security products globally. Set against a collection of legal tools seemingly ill-fitted to controlling the flow of software, the Departments of Commerce, State, and Defense have persisted in the application of export controls to limit trade in information security products. Rather than adapt to a changing commercial and research environment or craft policy tools better suited to curtail the spread of information security products abroad, the U.S. continued to apply and only moderately tweak the composition of export controls despite their limited effectiveness. This chapter explains the selection of these controls and their persistence as a product of boundedly rational behavior to minimize transaction costs and change in standard operating procedures, even at the cost of reduced regulatory efficacy. Chapter 3 looks at standardization, trying to answer if the recent emergence of the information security insurance industry as a means of private governance is a product of the state’s failure to set and enforce standards or the private sector’s opportunistic action to lock in material benefit. Synthesizing previous state efforts to create standards with literature on private governance and its internal debates, the chapter examines the history and process of insurance. It argues that a market driven enforcement mechanism was key to providing financial benefit to companies willing to lead in the governance process.

The contemporary debate over cyber security rests on a set of linguistic artifacts that date from the Cold War. Attempting to glean a starting point for debate over use of terms like \"cyber attack\" or \"cyber war\" is difficult, largely because of lack of agreement on what constitutes a weapon in cyberspace, be it \"weaponized code\" or black hats with root access. For information security professionals, this has led to a proliferation of taxonomies tied to particular vendor anti- virus systems. To social science researchers and the policy community, the result has been unclear definitions and vague terminology, which hinder academic progress and the development of effective policy. This paper offers a modular approach to define malware and classify cyber weapons using the PrEP framework of Propagation Method, Exploit, and Payload. A Propagation Method (Pr) is the means by which a weapon is inserted into a target network or system, such as an infected USB stick or email carrying a compromised attachment. An Exploit (E) is code designed to exploit some aspect of a software system which allows third parties to effect unintended operations or consequences. A Payload (P) is the heart of a cyber-weapon: software written to achieve a particular goal such as stealing password files or deleting documents. As developed in this paper, a Cyber Weapon is the combination of three software components: a Propagation Method, one or several Exploits, and a Payload designed to create destructive physical or logical effects. Defining malware requires a difficult combination between technical specificity and conceptual breadth. The PrEP framework attempts to balance these concerns while building out a set of concepts useful to both research and policy communities.

To date, our definition is an extensional one - we characterize a cyber tool (such as malware) as a weapon if it is used in a warfare-like manner. [...]the drafters of the Tallinn Manual characterize a cyber weapon by the effects it may have, rather than by its nature or components, or means of operation or construction.5 But that sort of ex post definition is unsatisfactory for a host of reasons. Yet, as we have said, no definition of a cyber weapon exists today other than a definition that operates only through practical application. [...]a definition \"may provide a basis for a more objective determination of the nature of activities in cyberspace,\"6 and would form the basis of a larger cyber weapons proliferation control enterprise.

The contemporary debate over cybersecurity rests on a set of linguistic artifacts that date from the Cold War. Attempting to glean a starting point for debate over use of terms such as ‘cyber attack’ or ‘cyber war’ is difficult, largely because there is little agreement on what constitutes a weapon in cyberspace. This paper proposes a new framework to classify malware and cyber weapons based on the different pieces of malicious code that constitute them, then evaluates competing definitions of cyber weapons, and concludes with implications for this approach.

Electroencephalography (EEG) is an important tool in the field of developmental cognitive neuroscience for indexing neural activity. However, racial biases persist in EEG research that limit the utility of this tool. One bias comes from the structure of EEG nets/caps that do not facilitate equitable data collection across hair textures and types. Recent efforts have improved EEG net/cap design, but these solutions can be time-intensive, reduce sensor density, and are more difficult to implement in younger populations. The present study focused on testing EEG sensor net designs over infancy. Specifically, we compared EEG data quality and retention between two high-density saline-based EEG sensor net designs from the same company (Magstim EGI, Whitland, UK) within the same infants during a baseline EEG paradigm. We found that within infants, the tall sensor nets resulted in lower impedances during collection, including lower impedances in the key online reference electrode for those with greater hair heights and resulted in a greater number of usable EEG channels and data segments retained during pre-processing. These results suggest that along with other best practices, the modified tall sensor net design is useful for improving data quality and retention in infant participants with curly or tightly-coiled hair.