Use this form to search content on CSRC pages.
Conference: USENIX Symposium on Usable Privacy and Security (SOUPS) 2023 Abstract: Organizations around the world are using the NIST Phish Scale (NPS) in their phishing awareness training programs. As a new metric for measuring human phishing detection difficulty of phishing emails, the use of the NPS by phishing training implementers across different types of organizations has no...
Conference: IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2023) Abstract: Current definitions of cybersecurity are not standardized and are often targeted towards cybersecurity experts and academics. There has been little evaluation about the appropriateness and understandability of these definitions for non-experts (individuals without cybersecurity expertise). This pose...
Abstract: Space is a newly emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities. Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite v...
Abstract: The approved security functions listed in this publication replace the ones listed in International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790 Annex C and ISO/IEC 24759 6.15, within the context of the Cryptographic Module Validation Program (CMVP). As...
Abstract: The approved sensitive security parameter generation and establishment methods listed in this publication replace the ones listed in International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790 Annex D and ISO/IEC 24759 paragraph 6.16, within the context o...
Abstract: The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication in...
Conference: 10th International Conference on HCI in Business, Government and Organizations (HCIBGO) Abstract: The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (e.g., training completion rates) rather than measuring actual im...
Conference: 5th International Conference on HCI for Cybersecurity, Privacy and Trust Abstract: Unsupported smart home devices can pose serious safety and security issues for consumers. However, unpatched and vulnerable devices may remain connected because consumers may not be alerted that their devices are no longer supported or do not understand the implications of using unsupported devices....
Conference: 25th International Conference on Human-Computer Interaction Abstract: Many professional domains require the collection and use of personal data. Protecting systems and data is a major concern in these settings, making it necessary that workers who interact with personal data understand and practice good security and privacy habits. However, to date, there has been lit...
Conference: 5th International Conference on HCI for Cybersecurity, Privacy, and Trust (HCI-CPT 2023) Abstract: Though much is known about how adults understand and use passwords, little research attention has been paid specifically to parents or, more importantly, to how parents are involved in their children’s password practices. To better understand both the password practices of parents, as well as how pa...
Conference: 15th International Conference on Social Computing and Social Media (SCSM 2023) Abstract: Encountering or engaging in risky online behavior is an inherent aspect of being an online user. In particular, youth are vulnerable to such risky behavior, making it important to know how they understand and think about this risk-taking behavior. Similarly, with parents being some of the first and...
Abstract: This publication from the National Initiative for Cybersecurity Education (NICE) describes Competency Areas as included in the Workforce Framework for Cybersecurity (NICE Framework), NIST Special Publication 800-181, Revision 1, a fundamental reference for describing and sharing information about cy...
Abstract: The U.S. Water and Wastewater Systems (WWS) sector has been undergoing a digital transformation. Many sector organizations are utilizing data-enabled capabilities to improve utility management, operations, and service delivery. The ongoing adoption of automation, sensors, data collection, network de...
Abstract: The National Institute of Standards and Technology (NIST) initiated a public standardization process to select one or more schemes that provide Authenticated Encryption with Associated Data (AEAD) and optional hashing functionalities and are suitable for constrained environments. In February 2019, 5...
Abstract: Low-cost genomic sequencing technologies facilitate collection, sequencing, and analysis of vast quantities of genomic data, fueling our nation’s economic and health leadership posture. However, this valuable genomic information may not be protected with sufficient rigor commensurate with cybersecur...
Abstract: This document is the Cybersecurity Framework Profile developed for the Liquefied Natural Gas (LNG) industry and the subsidiary functions that support the overarching liquefaction process, transport, and distribution of LNG. The LNG Cybersecurity Framework Profile can be used by liquefaction faciliti...
Abstract:
Abstract: There are several new digital credentials-based standards emerging and they are all silos operating in specific environments and written for specific contexts. As such, there is a lack of foundational, strongly verifiable, and trustable digital credentials available to make transition to today...
Abstract: During Fiscal Year 2022 (FY 2022) – from October 1, 2021, through September 30, 2022 – the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the FY 2022...
Abstract: Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This docume...
Conference: 2023 IEEE Symposium on Security and Privacy Abstract: Updates may be one of the few tools consumers have to mitigate security and privacy vulnerabilities in smart home devices. However, little research has been undertaken to understand users’ perceptions and experiences with smart home updates. To address this gap, we conducted an online survey of a de...
Abstract: Mobile devices were initially personal consumer communication devices but they are now permanent fixtures in enterprises and are used to access modern networks and systems to process sensitive data. This publication assists organizations in managing and securing these devices by describing available...
Abstract:
Abstract: In 2000, NIST announced the selection of the Rijndael block cipher family as the winner of the Advanced Encryption Standard (AES) competition. Block ciphers are the foundation for many cryptographic services, especially those that provide assurance of the confidentiality of data. Three members of t...
Abstract: The objective of state machine replication (SMR) is to emulate a centralized service in a distributed, fault-tolerant fashion. To this end, a set of mutually distrusting processes must agree on the execution of client-submitted commands. Since the advent of Bitcoin, the idea of SMR has received sign...