Academic Publications

Identity Threat Assessment and Prediction

Published on Jun 1, 2018

Identity theft and related threats are increasingly common occurrences. This paper is an overview of the Identity Threat Assessment and Prediction (ITAP) project. It describes our use of news stories to gather raw data about incidents of identity theft, fraud, and abuse. Through these news stories, we seek to determine the methods and resources used to carry out these crimes; the vulnerabilities exploited; and the consequences of these incidents. The ITAP Model is a large and continually growing, structured repository of such information. There are currently about 5,000 incidents captured in the model. To this body of information we apply a variety of analytical tools that enable us to show and compare threats, losses, and trends. We discovered notable and sometimes surprising results. A goal of this project is to be able to predict future threats, and to provide some concrete guidance on how to avoid them.

Citation

Zaiss, J., R. Nokhbeh Zaeem, and K.S. Barber, “Identity Threat Assessment and Prediction, accepted to Journal of Consumer Affairs,” 2018.

Understanding Victim-Enabled Identity Theft: Perpetrator and Victim Perspectives

Published on May 3, 2018

Victim-enabled identity theft is a crime in which an individual victim is deceived into providing their personally identifying information (PII) to a criminal to facilitate its theft and/or misuse. In this paper we analyse a particular victim-enabled tax-related identity theft scheme recently reported in Australia, which has also been reported, in a slightly different guise, in the US. We find that this scheme, and others like it, are best understood when studied from both the perpetrator’s and the victim’s points of view. The criminal perspective and business practices have been captured and analysed in the Identity Threat Assessment and Prediction (ITAP) model developed by the Center for Identity at The University of Texas (UT CID). The victim perspective has been captured from multiple victim case files captured by IDCARE. The research findings support the view that combining perspectives enhances the analytical value of a threat assessment and prediction model. The multi-actor nature of victim-enabled identity theft complements the methodological approach adopted in the paper, and provides new insights on a growing form of identity theft that can 

Citation

D. Lacey, J. Zaiss and K. S. Barber, "Understanding victim-enabled identity theft," 2016 14th Annual Conference on Privacy, Security and Trust (PST), Auckland, 2016, pp. 196-202.

PrivacyCheck: Automatic Summarization of Privacy Policies Using Data Mining

Published on May 1, 2018

Prior research shows that only a tiny percentage of users actually read the online privacy policies they implicitly agree to while using a website. Prior research also suggests that users ignore privacy policies because these policies are lengthy and, on average, require two years of college education to comprehend. We propose a novel technique that tackles this problem by automatically extracting summaries of online privacy policies. We use data mining models to analyze the text of privacy policies and answer ten basic questions concerning the privacy and security of user data, what information is gathered from them, and how this information is used. In order to train the data mining models, we thoroughly study privacy policies of 400 companies (considering 10% of all listings on NYSE, Nasdaq, and AMEX stock markets) across industries. Our free Chrome browser extension, PrivacyCheck, utilizes the data mining models to summarize any HTML page that contains a privacy policy. PrivacyCheck stands out from currently available counterparts because it is readily applicable on any online privacy policy. Cross validation results show that PrivacyCheck summaries are accurate 40% to 73% of the time. Over 400 independent Chrome users are currently using
PrivacyCheck.

Citation

Nokhbeh Zaeem, R., German, R. L., and Barber, K. Suzanne, “PrivacyCheck: Automatic Summarization of Privacy Policies Using Data Mining,” ACM Transactions on Internet Technology (TOIT), 18 (4), Article 53. May 2018.

Modeling and Analysis of Identity Threat Behaviors through Text Mining of Identity Theft Stories

Published on Nov 10, 2017

Identity theft, fraud, and abuse are problems affecting the entire society. Identity theft is often a “gateway” crime, as criminals use stolen or fraudulent identities to steal money, claim eligibility for services, hack into networks without authorization, and so on. The available data describing identity crimes and their aftermath are often in the form of recorded stories and reports by the news press, fraud examiners, and law enforcement. All of these sources are unstructured. In order to analyze identity theft data, this research proposes an approach which involves the novel collection of online news stories and reports on the topic of identity theft. Our approach pre-processes the raw text and extracts semi-structured information automatically, using text mining techniques. This paper presents statistical analysis of behavioral patterns and resources used by thieves and fraudsters to commit identity theft, including the identity attributes commonly linked to identity crimes, resources thieves employ to conduct identity crimes, and temporal patterns of criminal behavior. Furthermore, the automatically extracted information is validated against manually investigated news stories. Analyses of these results increase empirical understanding of identity threat behaviors, offer early warning signs of identity theft, and thwart future identity theft crimes.

Citation

Nokhbeh Zaeem, R., M. Manoharan, M., Y. Yang, and K. Suzanne Barber, “Modeling and Analysis of Identity Threat Behaviors through Text Mining of Identity Theft Stories,” Journal of Computers and Security Vol. 65 pp. 50-63, 2017.  

A Study of Web Privacy Policies Across Industries

Published on Nov 1, 2017

Today, more than ever, companies collect their customers’ Personally Identifiable Information (PII) over the Internet. The alarming rate of PII misuse drives the need for improving companies’ privacy practices. We thoroughly study privacy policies of 600 companies (10% of all listings on NYSE, Nasdaq, and AMEX stock markets) across industries and investigate ten different privacy pertinent factors in them. The study reveals interesting trends: for example, more than 30% of the companies still lack privacy policies, and the rest tend to collect users’ information but claim to use it only for the intended purpose. Furthermore, almost one out of every two companies provides the collected information to law
enforcement without asking for a warrant or subpoena. We found that the majority of the companies do not collect children’s PII, one out of every three companies let users correct their PII but do not allow complete deletion, and the majority post new policies online and expect the user to check the privacy policy frequently. The findings of this study can help companies improve their privacy policies, enable lawmakers to create better regulations and evaluate their effectiveness, and finally educate users with respect to the current state of privacy practices in an industry.

Citation

Nokhbeh Zaeem, R. and K. Suzanne Barber, “A Study of Web Privacy Policies Across Industries,” Journal of Information Privacy and Security 13(4), pp. 169--185, Nov. 2017.

Tournament Models for Authority Identification in Online Communities

Published on Mar 25, 2017

Authority identification is an important problem in online information sharing communities such as question answer (Q&A) forums and online social networks (OSNs), where users
care as much about the quality of information being accessed, as its alignment with their interests. This paper investigates a tournament model based approachto authority identification, where interactions between users are modeled as generated by a Bradley-Terry model. We derive a new measure of user authority, the average winnings score, for authority identification in Q&A forums, and evaluate it on data derived from the Stack Exchange Q&A forum. We also show how the log fair bets measure, which has been successfully used for authority identification in OSNs in the past, can be derived from tournament models. We also prove some key results related to a co-ranking framework, for combining information from multiple preference expression graphs based on the same OSN. We then demonstrate the empirical effectiveness of tournament model based approaches, in conjunction with the co-ranking framework.

Citation

Budalakoti, S., R. Nokhbeh Zaeem, and K.S. Barber, “Tournament Models for Authority Identification in Online Communities,” International Journal of Computer and Information Technology (IJCIT) (ISSN: 2279 – 0764) 6 (2), pp. 75--83, 2017.

A Model for Calculating User-Identity Trustworthiness in Online Transactions

Published on Sep 3, 2015

Online transactions require a fundamental relationship between users and resource providers (e.g., retailers, banks, social media networks) built on trust; both users and providers must believe the person or organization they are interacting with is who they say they are. Yet with each passing year, major data breaches and other identity-related cybercrimes become a daily way of life, and existing methods of user identity authentication are lacking. Furthermore, much research on identity trustworthiness focuses on the user’s perspective, whereas resource providers receive less attention. Therefore, the current research investigated how providers can increase the likelihood their users’ identities are trustworthy. Leveraging concepts from existing research, the user-provider trust relationship is modeled with different transaction contexts and attributes of identity. The model was analyzed for two aspects of user-identity trustworthiness—reliability and authenticity—with a significant set of actual user identities obtained from the U.S. Department of Homeland Security. Overall, this research finds that resource providers can significantly increase confidence in user-identity trustworthiness by simply collecting a limited amount of user-identity attributes.

Link to publication

Citation

Soeder, B. and K.S. Barber, 13th Annual Conference on Privacy, Security and Trust (PST), pp. 177-185, 2015.

Systematic Reciprocal Rewards: Motivating Expert Participation in Online Communities with a Novel Class of Incentives

Published on Nov 1, 2014

Online communities such as question and answer (QA) systems are growing rapidly and we increasingly rely on them for valuable information and entertainment. However, finding meaningful rewards to motivate participation from the most qualified users, or experts, presents researchers with two main challenges: identifying these users and (2) rewarding their participation. Using an interdisciplinary theoretical framework, we illustrate possibilities for identifying and motivating the most valuable contributors to online communities. We suggest that access to peer-generated content can directly motivate people to apply their own expertise, thereby generating more content. Survey data from 380 participants suggests that users strongly prefer a novel class of incentives—reciprocal systemic rewards—to traditional achievement-based rewards. Overall, this research presents important considerations for many different types of online communities, including social networking and news aggregation sites.

Citation

DeAngelis, D. and K.S. Barber, “Systematic Reciprocal Rewards: Motivating Expert Participation in Online Communities with a Novel Class of Incentives,” International Journal of Agent Technologies and Systems (IJATS), Vol. 6(2), pp. 30-50, 2014

Trustworthiness of identity attributes

Published on Sep 9, 2014

Individuals declare their identities to online network providers with credentials such as usernames, passwords, and email addresses. To obtain these credentials from providers, users enroll by providing identity attributes, or collections of personal identifiable information (PII), such as phone numbers. Credentials vary in trustworthiness, and thus, so do identities. In search of better methods for increasing trustworthiness, we present a computational model of identity attributes described as an Identity Ecosystem to determine which are most vulnerable to malicious users. Using existing data from the U.S. Army and Department of Defense, wecmodel relationships between attributes as transition probabilities and analyze the long-run probability of all connected attributes being affected by one compromised attribute. This approach allows the provider to determine how best to weight relationships between attributes and thereby become more secure. Copyright is held by the owner/author(s). Publication rights licensed to ACM.

Link to publication

Citation

Soeder, B., & Barber, K. S. . Trustworthiness of identity attributes. In Proceedings of the 7th International Conference on Security of Information and Networks, (SIN 2014), vol. 2014-September, pp. 4-8, 2014.

Incentives for Online Communities

Published on Sep 1, 2014

Online communities promote wide access to a vast range of skills and knowledge from a heterogeneous group of users. Yet implementations of various online communities lack consistent participation by the most qualified users. Encouraging such expert participation is crucial to the social welfare and widespread adoption of online community systems. Thus, this research proposes techniques for rewarding the most valuable contributors to several classes of online communities, including question and answer (QA) forums and other content-oriented social networks. Overall, novel quantitative incentives can be used to encourage their participation. Using a game theory approach, this research designs and tests an incentive mechanism for QA systems. Based on survey data gathered from online community users, the proposed mechanism relies on systemic rewards, or rewards that have tangible value within the framework of the online community. This research shows that human users have a strong preference for reciprocal systemic rewards over traditional rewards. Furthermore, this research shows that it is possible to motivate participation from the most valuable contributors to an online community.

Link to publication

Citation

DeAngelis, D. and K.S. Barber, International Journal of Computer and Information Technology (IJCIT), vol. 3(6), pp. 1229-1240, 2014.

Next Page

Sign Up for CID News