Sebastian Pape | Goethe-Universität Frankfurt am Main (original) (raw)
Books by Sebastian Pape
Beim Entwurf von Kryptosystemen versucht man deren Sicherheit mittels Reduktionen auf gewisse mat... more Beim Entwurf von Kryptosystemen versucht man deren Sicherheit mittels Reduktionen auf gewisse mathematische Basisprobleme zu gründen. Wer das Kryptosystem brechen kann ist damit auch in der Lage, das Basisproblem zu lösen. Wird dem Angreifer nicht zugestanden, das Basisproblem zu lösen, gilt das Kryptosystem als sicher. Ein Problem dieser Beweisführung ist jedoch, dass Basisprobleme meist nur im Allgemeinen schwer sind. Bei der Reduktion von Kryptosystemen treten jedoch typischerweise durchschnittliche Probleminstanzen auf, die unter Umständen sehr viel leichter zu lösen sind.
Deshalb erregte das Public-Key Kryptosystem von Ajtai und Dwork einiges an Aufsehen. Ihnen war es erstmals gelungen, eine Worst-Case / Average-Case Äquivalenz zwischen dem Kryptosystem und dem zugrunde liegenden Basisproblem zu zeigen. Ajtai und Dwork beschränkten sich allerdings auf den Reduktionsbeweis. Eine formalere Beschreibung der Annahmen über die Fähigkeiten und Absichten eines potentiellen Angreifers liefern Sicherheitsmodelle. In diesem Buch wird daher untersucht, in welchen Sicherheitsmodellen das Ajtai-Dwork-Kryptosystem als sicher gelten kann.
Papers by Sebastian Pape
Proceedings on Privacy Enhancing Technologies (PoPETs), 2022
Through voice characteristics and manner of expression, even seemingly benign voice recordings ca... more Through voice characteristics and manner of expression, even seemingly benign voice recordings can reveal sensitive attributes about a recorded speaker (e. g., geographical origin, health status, personality). We conducted a nationally representative survey in the UK (n = 683, 18-69 years) to investigate people's awareness about the inferential power of voice and speech analysis. Our results show that-while awareness levels vary between different categories of inferred information-there is generally low awareness across all participant demographics, even among participants with professional experience in computer science, data mining, and IT security. For instance, only 18.7% of participants are at least somewhat aware that physical and mental health information can be inferred from voice recordings. Many participants have rarely (28.4%) or never (42.5%) even thought about the possibility of personal information being inferred from speech data. After a short educational video on the topic, participants express only moderate privacy concern. However, based on an analysis of open text responses, unconcerned reactions seem to be largely explained by knowledge gaps about possible data misuses. Watching the educational video lowered participants' intention to use voice-enabled devices. In discussing the regulatory implications of our findings, we challenge the notion of "informed consent" to data processing. We also argue that inferences about individuals need to be legally recognized as personal data and protected accordingly.
ICT Systems Security and Privacy Protection
The German Corona-Warn-App (CWA) is one of the most controversial tools to mitigate the Corona vi... more The German Corona-Warn-App (CWA) is one of the most controversial tools to mitigate the Corona virus spread with roughly 25 million users. In this study, we investigate individuals’ knowledge about the CWA and associated privacy concerns alongside different demographic factors. For that purpose, we conducted a study with 1752 participants in Germany to investigate knowledge and privacy concerns of users and non-users of the German CWA. We investigate the relationship between knowledge and privacy concerns and analyze the demographic effects on both. Our results indicate that knowledge about the CWA significantly reduces the privacy concerns about it. Non surprisingly, users have far lower privacy concerns than non-users, but they also have more knowledge about the app. We also find a positive significant effect of education and income and a small negative effect of age on the participants’ knowledge. Furthermore, we find a significant negative effect of income and education on the privacy concerns. Our study has important implications for political decision-makers aiming at increasing adoption rates for helpful technologies to mitigate the severe effects of the pandemic. Most relevant here is to acknowledge the results regarding education, knowledge, privacy concerns and CWA use and devise effective strategies to reach certain groups in the society which are currently not using the CWA. © 2021, IFIP International Federation for Information Processing.
Privacy and Identity Management. Data for Better Living: AI and Privacy
General Data Protection Regulation (GDPR) has not only a great influence on data protection but a... more General Data Protection Regulation (GDPR) has not only a great influence on data protection but also on the area of information security especially with regard to Article 32. This article emphasizes the importance of having a process to regularly test, assess and evaluate the security. The measuring of information security however, involves overcoming many obstacles. The quality of information security can only be measured indirectly using metrics and Key Performance Indicators (KPIs), as no gold standard exist. Many studies are concerned with using metrics to get as close as possible to the status of information security but only a few focus on the comparison of information security metrics. This paper deals with aggregation types of corporate information security maturity levels from different assets in order to find out how the different aggregation functions effect the results and which conclusions can be drawn from them. The required model has already been developed by the authors and tested for applicability by means of case studies. In order to investigate the significance of the ranking from the comparison of the aggregation in more detail, this paper will try to work out in which way a maturity control should be aggregated in order to serve the company best in improving its security. This result will be helpful for all companies aiming to regularly assess and improve their security as requested by the GDPR. To verify the significance of the results with different sets, real information security data from a large international media and technology company has been used.
ICT Systems Security and Privacy Protection
In this paper, we describe an interdisciplinary project in which visualization techniques were de... more In this paper, we describe an interdisciplinary project in which visualization techniques were developed for and applied to scholarly work from literary studies. The aim was to bring Christof Schöch's electronic edition of Bérardier de Bataut's Essai sur le récit (1776) to the web. This edition is based on the Text Encoding Initiative's XML-based encoding scheme (TEI P5, subset TEILite). This now de facto standard applies to machine-readable texts used chiefly in the humanities and social sciences. The intention of this edition is to make the edited text freely available on the web, to allow for alternative text views (here original and modern/corrected text), to ensure reader-friendly annotation and navigation, to permit on-line collaboration in encoding and annotation as well as user comments, all in an open source, generically usable, lightweight package. These aims were attained by relying on a GPL-based, public domain CMS (Drupal) and combining it with XSL-Styleshee...
This paper provides the survey materials used to collect the data for the conceptual replication ... more This paper provides the survey materials used to collect the data for the conceptual replication of the Internet Users’ Information Privacy Concerns (IUIPC) model by Malhotra et al. (2004). The replication paper (Pape et al., 2020) used awareness, collection and control as constructs for the second order construct of IUIPC, as well as risk and trusting beliefs from the original paper. Instead of intended behavior the self-developed construct of willingness to share was used. Altogether more than 9,000 data points were collected. This paper provides additional materials and details on the participants, and the Japanese survey questions along with an English version for readers who are unfamiliar with Japanese. We hope that the additional information and in particular the Japanese questions provide some background on our study which will allow others a better understanding of our research and to make use of the questions themselves.
In the last ten years cloud computing has developed from a buzz word to the new computing paradig... more In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT outsourcing. We investigate how these concerns manifest as a decisive factor in cloud provider selection by interviews with eight practitioners from German companies. As only a moderate interest is discovered, it is further examined why this is the case. Additionally, we compared the results from a systematic literature survey on cloud security assurance to cloud customers’ verification of their providers’ security measures. This paper provides a qualitative in-depth examination of companies’ attitudes towards security in the cloud. The results of the analysed sample show that security is not necessarily decisive in cloud provider selectio...
Today's environment of data-driven business models relies heavily on collecting as much perso... more Today's environment of data-driven business models relies heavily on collecting as much personal data as possible. This is one of the main causes for the importance of privacy-enhancing technologies (PETs) to protect internet users' privacy. Still, PETs are rather a niche product used by relatively few users on the internet. We undertake a first step towards understanding the use behavior of such technologies. For that purpose, we conducted an online survey with 141 users of the anonymity service "JonDonym". We use the technology acceptance model as a theoretical starting point and extend it with the constructs perceived anonymity and trust in the service. Our model explains almost half of the variance of the behavioral intention to use JonDonym and the actual use behavior. In addition, the results indicate that both added variables are highly relevant factors in the path model.
Social engineering is the clever manipulation of the human tendency to trust to acquire informati... more Social engineering is the clever manipulation of the human tendency to trust to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Traditional penetration testing approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering. While the amount of social engineering attacks and the damage they cause rise every year, the defences against social engineering do not evolve accordingly. However, tools exist for social engineering intelligence gathering, which means the gathering of information about possible victims that can be used in an attack. We survey these tools and present an overview of their capabilities. We concluded that attackers have a wide range of intelligence gathering tools at their disposal, which increases the likelihood of future attacks and allows even non-technical skilled users t...
As part of the research project “Secure information networks of small- and medium-sized energy pr... more As part of the research project “Secure information networks of small- and medium-sized energy providers” (SIDATE), a survey about the IT security status of German energy providers was conducted. The project itself is focused on the IT security of small- and medium-sized energy providers. In August 2016, 881 companies listed by the Federal Network Agency were approached. Between, September 1st 2016 and October 15th 2016, 61 (6.9%) of the companies replied. The questionnaire focuses on the implementation of the regulatory requirements and on the implementation of an information security management system (ISMS). Additionally, questions about the energy control system, the network structure, processes, organisational structures, and the IT department were asked. Questions were asked in German, so all questions and answers are translated for this report.
Social engineering is the clever manipulation of the human element to acquire information assets.... more Social engineering is the clever manipulation of the human element to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. The challenge in defeating social engineering is that it is a deceptive process that exploits human beings. Methods employed in social engineering do not differ much from those used to perform traditional fraud. This implies the applicability of defense mechanisms against the latter to the context of social engineering. Taking this problem into consideration, we designed a serious game that trains people against social engineering using defense mechanisms of social psychology. The results of our empirical evaluation of the game indicate that the game is able to raise awareness for social engineering in an entertaining way.
Generally, measuring the information security maturity is the first step to build a knowledge inf... more Generally, measuring the information security maturity is the first step to build a knowledge information security management system in an organization. Unfortunately, it is not possible to measure information security directly. Thus, in order to get an estimate, one has to find reliable measurements. One way to assess information security is by applying a maturity model and assess the level of controls. This does not need to be equivalent to the level of security. Nevertheless, evaluating the level of information security maturity in companies has been a major challenge for years. Although many studies have been conducted to address these challenges, there is still a lack of research to properly analyze these assessments. The primary objective of this study is to show how to use the analytic hierarchy process (AHP) to compare the information security controls’ level of maturity within an industry in order to rank different companies. To validate the approach of this study, we used ...
The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet’s infra... more The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet’s infrastructure and establish them in the consumer mass market. The technologies in focus include a basis protection at internet service provider level, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. A crucial success factor will be the viable adjustment and development of standards, business models and pricing strategies for those new technologies.
In this position paper we discuss the effect of open data on privacy. In order to reduce privacy ... more In this position paper we discuss the effect of open data on privacy. In order to reduce privacy issues due to the publication of open data, we suggest to build a database which overviews open data in a structured way with a special focus on privacy. This database could be enhanced with tools which automatically try to link existing datasets and allow publishers to check potential de-anonymization risks.
Beim Entwurf von Kryptosystemen versucht man deren Sicherheit mittels Reduktionen auf gewisse mat... more Beim Entwurf von Kryptosystemen versucht man deren Sicherheit mittels Reduktionen auf gewisse mathematische Basisprobleme zu gründen. Wer das Kryptosystem brechen kann ist damit auch in der Lage, das Basisproblem zu lösen. Wird dem Angreifer nicht zugestanden, das Basisproblem zu lösen, gilt das Kryptosystem als sicher. Ein Problem dieser Beweisführung ist jedoch, dass Basisprobleme meist nur im Allgemeinen schwer sind. Bei der Reduktion von Kryptosystemen treten jedoch typischerweise durchschnittliche Probleminstanzen auf, die unter Umständen sehr viel leichter zu lösen sind.
Deshalb erregte das Public-Key Kryptosystem von Ajtai und Dwork einiges an Aufsehen. Ihnen war es erstmals gelungen, eine Worst-Case / Average-Case Äquivalenz zwischen dem Kryptosystem und dem zugrunde liegenden Basisproblem zu zeigen. Ajtai und Dwork beschränkten sich allerdings auf den Reduktionsbeweis. Eine formalere Beschreibung der Annahmen über die Fähigkeiten und Absichten eines potentiellen Angreifers liefern Sicherheitsmodelle. In diesem Buch wird daher untersucht, in welchen Sicherheitsmodellen das Ajtai-Dwork-Kryptosystem als sicher gelten kann.
Proceedings on Privacy Enhancing Technologies (PoPETs), 2022
Through voice characteristics and manner of expression, even seemingly benign voice recordings ca... more Through voice characteristics and manner of expression, even seemingly benign voice recordings can reveal sensitive attributes about a recorded speaker (e. g., geographical origin, health status, personality). We conducted a nationally representative survey in the UK (n = 683, 18-69 years) to investigate people's awareness about the inferential power of voice and speech analysis. Our results show that-while awareness levels vary between different categories of inferred information-there is generally low awareness across all participant demographics, even among participants with professional experience in computer science, data mining, and IT security. For instance, only 18.7% of participants are at least somewhat aware that physical and mental health information can be inferred from voice recordings. Many participants have rarely (28.4%) or never (42.5%) even thought about the possibility of personal information being inferred from speech data. After a short educational video on the topic, participants express only moderate privacy concern. However, based on an analysis of open text responses, unconcerned reactions seem to be largely explained by knowledge gaps about possible data misuses. Watching the educational video lowered participants' intention to use voice-enabled devices. In discussing the regulatory implications of our findings, we challenge the notion of "informed consent" to data processing. We also argue that inferences about individuals need to be legally recognized as personal data and protected accordingly.
ICT Systems Security and Privacy Protection
The German Corona-Warn-App (CWA) is one of the most controversial tools to mitigate the Corona vi... more The German Corona-Warn-App (CWA) is one of the most controversial tools to mitigate the Corona virus spread with roughly 25 million users. In this study, we investigate individuals’ knowledge about the CWA and associated privacy concerns alongside different demographic factors. For that purpose, we conducted a study with 1752 participants in Germany to investigate knowledge and privacy concerns of users and non-users of the German CWA. We investigate the relationship between knowledge and privacy concerns and analyze the demographic effects on both. Our results indicate that knowledge about the CWA significantly reduces the privacy concerns about it. Non surprisingly, users have far lower privacy concerns than non-users, but they also have more knowledge about the app. We also find a positive significant effect of education and income and a small negative effect of age on the participants’ knowledge. Furthermore, we find a significant negative effect of income and education on the privacy concerns. Our study has important implications for political decision-makers aiming at increasing adoption rates for helpful technologies to mitigate the severe effects of the pandemic. Most relevant here is to acknowledge the results regarding education, knowledge, privacy concerns and CWA use and devise effective strategies to reach certain groups in the society which are currently not using the CWA. © 2021, IFIP International Federation for Information Processing.
Privacy and Identity Management. Data for Better Living: AI and Privacy
General Data Protection Regulation (GDPR) has not only a great influence on data protection but a... more General Data Protection Regulation (GDPR) has not only a great influence on data protection but also on the area of information security especially with regard to Article 32. This article emphasizes the importance of having a process to regularly test, assess and evaluate the security. The measuring of information security however, involves overcoming many obstacles. The quality of information security can only be measured indirectly using metrics and Key Performance Indicators (KPIs), as no gold standard exist. Many studies are concerned with using metrics to get as close as possible to the status of information security but only a few focus on the comparison of information security metrics. This paper deals with aggregation types of corporate information security maturity levels from different assets in order to find out how the different aggregation functions effect the results and which conclusions can be drawn from them. The required model has already been developed by the authors and tested for applicability by means of case studies. In order to investigate the significance of the ranking from the comparison of the aggregation in more detail, this paper will try to work out in which way a maturity control should be aggregated in order to serve the company best in improving its security. This result will be helpful for all companies aiming to regularly assess and improve their security as requested by the GDPR. To verify the significance of the results with different sets, real information security data from a large international media and technology company has been used.
ICT Systems Security and Privacy Protection
In this paper, we describe an interdisciplinary project in which visualization techniques were de... more In this paper, we describe an interdisciplinary project in which visualization techniques were developed for and applied to scholarly work from literary studies. The aim was to bring Christof Schöch's electronic edition of Bérardier de Bataut's Essai sur le récit (1776) to the web. This edition is based on the Text Encoding Initiative's XML-based encoding scheme (TEI P5, subset TEILite). This now de facto standard applies to machine-readable texts used chiefly in the humanities and social sciences. The intention of this edition is to make the edited text freely available on the web, to allow for alternative text views (here original and modern/corrected text), to ensure reader-friendly annotation and navigation, to permit on-line collaboration in encoding and annotation as well as user comments, all in an open source, generically usable, lightweight package. These aims were attained by relying on a GPL-based, public domain CMS (Drupal) and combining it with XSL-Styleshee...
This paper provides the survey materials used to collect the data for the conceptual replication ... more This paper provides the survey materials used to collect the data for the conceptual replication of the Internet Users’ Information Privacy Concerns (IUIPC) model by Malhotra et al. (2004). The replication paper (Pape et al., 2020) used awareness, collection and control as constructs for the second order construct of IUIPC, as well as risk and trusting beliefs from the original paper. Instead of intended behavior the self-developed construct of willingness to share was used. Altogether more than 9,000 data points were collected. This paper provides additional materials and details on the participants, and the Japanese survey questions along with an English version for readers who are unfamiliar with Japanese. We hope that the additional information and in particular the Japanese questions provide some background on our study which will allow others a better understanding of our research and to make use of the questions themselves.
In the last ten years cloud computing has developed from a buzz word to the new computing paradig... more In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT outsourcing. We investigate how these concerns manifest as a decisive factor in cloud provider selection by interviews with eight practitioners from German companies. As only a moderate interest is discovered, it is further examined why this is the case. Additionally, we compared the results from a systematic literature survey on cloud security assurance to cloud customers’ verification of their providers’ security measures. This paper provides a qualitative in-depth examination of companies’ attitudes towards security in the cloud. The results of the analysed sample show that security is not necessarily decisive in cloud provider selectio...
Today's environment of data-driven business models relies heavily on collecting as much perso... more Today's environment of data-driven business models relies heavily on collecting as much personal data as possible. This is one of the main causes for the importance of privacy-enhancing technologies (PETs) to protect internet users' privacy. Still, PETs are rather a niche product used by relatively few users on the internet. We undertake a first step towards understanding the use behavior of such technologies. For that purpose, we conducted an online survey with 141 users of the anonymity service "JonDonym". We use the technology acceptance model as a theoretical starting point and extend it with the constructs perceived anonymity and trust in the service. Our model explains almost half of the variance of the behavioral intention to use JonDonym and the actual use behavior. In addition, the results indicate that both added variables are highly relevant factors in the path model.
Social engineering is the clever manipulation of the human tendency to trust to acquire informati... more Social engineering is the clever manipulation of the human tendency to trust to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Traditional penetration testing approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering. While the amount of social engineering attacks and the damage they cause rise every year, the defences against social engineering do not evolve accordingly. However, tools exist for social engineering intelligence gathering, which means the gathering of information about possible victims that can be used in an attack. We survey these tools and present an overview of their capabilities. We concluded that attackers have a wide range of intelligence gathering tools at their disposal, which increases the likelihood of future attacks and allows even non-technical skilled users t...
As part of the research project “Secure information networks of small- and medium-sized energy pr... more As part of the research project “Secure information networks of small- and medium-sized energy providers” (SIDATE), a survey about the IT security status of German energy providers was conducted. The project itself is focused on the IT security of small- and medium-sized energy providers. In August 2016, 881 companies listed by the Federal Network Agency were approached. Between, September 1st 2016 and October 15th 2016, 61 (6.9%) of the companies replied. The questionnaire focuses on the implementation of the regulatory requirements and on the implementation of an information security management system (ISMS). Additionally, questions about the energy control system, the network structure, processes, organisational structures, and the IT department were asked. Questions were asked in German, so all questions and answers are translated for this report.
Social engineering is the clever manipulation of the human element to acquire information assets.... more Social engineering is the clever manipulation of the human element to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. The challenge in defeating social engineering is that it is a deceptive process that exploits human beings. Methods employed in social engineering do not differ much from those used to perform traditional fraud. This implies the applicability of defense mechanisms against the latter to the context of social engineering. Taking this problem into consideration, we designed a serious game that trains people against social engineering using defense mechanisms of social psychology. The results of our empirical evaluation of the game indicate that the game is able to raise awareness for social engineering in an entertaining way.
Generally, measuring the information security maturity is the first step to build a knowledge inf... more Generally, measuring the information security maturity is the first step to build a knowledge information security management system in an organization. Unfortunately, it is not possible to measure information security directly. Thus, in order to get an estimate, one has to find reliable measurements. One way to assess information security is by applying a maturity model and assess the level of controls. This does not need to be equivalent to the level of security. Nevertheless, evaluating the level of information security maturity in companies has been a major challenge for years. Although many studies have been conducted to address these challenges, there is still a lack of research to properly analyze these assessments. The primary objective of this study is to show how to use the analytic hierarchy process (AHP) to compare the information security controls’ level of maturity within an industry in order to rank different companies. To validate the approach of this study, we used ...
The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet’s infra... more The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet’s infrastructure and establish them in the consumer mass market. The technologies in focus include a basis protection at internet service provider level, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. A crucial success factor will be the viable adjustment and development of standards, business models and pricing strategies for those new technologies.
In this position paper we discuss the effect of open data on privacy. In order to reduce privacy ... more In this position paper we discuss the effect of open data on privacy. In order to reduce privacy issues due to the publication of open data, we suggest to build a database which overviews open data in a structured way with a special focus on privacy. This database could be enhanced with tools which automatically try to link existing datasets and allow publishers to check potential de-anonymization risks.
Computer Science in Cars Symposium
To expand the understanding of privacy concerns in the digital sphere, this paper makes use of th... more To expand the understanding of privacy concerns in the digital sphere, this paper makes use of the Internet Users’ Information Privacy Concerns (IUIPC) model by Malhotra et al. (2004). The lack of empirical studies conducted in EastAsian societies makes it difficult, if not impossible, to shed light on multi-cultural differences in information privacy concerns of internet users. Therefore, we collected data of more than 9,000 Japanese respondents to conduct a conceptual replication of the IUIPC model. For our research goal, we re-assess the validity and reliability of the IUIPC model for Japan and compare the results with internet users' privacy concerns in the USA. Our results indicate that the second-order IUIPC construct, measured reflectively through the constructs awareness, collection, and control, is reliable and valid. Furthermore, three out of the five structural paths of the IUIPC model were confirmed for our Japanese sample. In contrast to the original study, the impa...