Measuring NIST Authentication Standards Compliance by Higher Education Institutions
- URL: http://arxiv.org/abs/2409.00546v3
- Date: Mon, 09 Jun 2025 21:58:03 GMT
- Title: Measuring NIST Authentication Standards Compliance by Higher Education Institutions
- Authors: Noah Apthorpe, Boen Beavers, Yan Shvartzshnaider, Brett Frischmann,
- Abstract summary: This paper examines the authentication policies of 135 colleges and universities in the United States and Canada.<n>We find widespread, but not universal, deployment of multi-factor authentication across institutions.<n>We also find prevalent outdated use of password expiration, password composition rules, and knowledge-based authentication.
- Score: 0.509981114473162
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Technical standards are a longstanding method of communicating best practice recommendations based on expert consensus. Cybersecurity standards are particularly important for informing policies that protect critical systems and sensitive data. Measuring standards compliance is therefore essential to identify vulnerabilities arising from outdated policies and to determine whether expert advice has effectively diffused to practitioners. In this paper, we examine the authentication policies of a diverse set of 135 colleges and universities in the United States and Canada to determine compliance with four standards from NIST Special Publication 800-63 Digital Identity Guidelines. We find widespread, but not universal, deployment of multi-factor authentication across institutions. We also find prevalent outdated use of password expiration, password composition rules, and knowledge-based authentication. These results support further investment and research into incentive structures for standards compliance and the diffusion of expert guidance to practitioners.
Related papers
- Standard Applicability Judgment and Cross-jurisdictional Reasoning: A RAG-based Framework for Medical Device Compliance [3.439579933384111]
Given a free-text device description, our system retrieves candidate standards from a curated corpus and uses large language models to infer jurisdiction-specific applicability.<n>We construct an international benchmark dataset of medical device descriptions with expert-annotated standard mappings, and evaluate our system against retrieval-only, zero-shot, and rule-based baselines.<n>The proposed approach attains a classification accuracy of 73% and a Top-5 retrieval recall of 87%, demonstrating its effectiveness in identifying relevant regulatory standards.
arXiv Detail & Related papers (2025-06-23T11:04:58Z) - Zero Trust Cybersecurity: Procedures and Considerations in Context [9.9303344240134]
This paper explores the Zero Trust cybersecurity framework, which operates on the principle of never trust, always verify to mitigate vulnerabilities within organizations.<n>It examines the applicability of Zero Trust principles in environments where large volumes of information are exchanged, such as schools and libraries.
arXiv Detail & Related papers (2025-05-24T21:24:46Z) - SConU: Selective Conformal Uncertainty in Large Language Models [59.25881667640868]
We propose a novel approach termed Selective Conformal Uncertainty (SConU)
We develop two conformal p-values that are instrumental in determining whether a given sample deviates from the uncertainty distribution of the calibration set at a specific manageable risk level.
Our approach not only facilitates rigorous management of miscoverage rates across both single-domain and interdisciplinary contexts, but also enhances the efficiency of predictions.
arXiv Detail & Related papers (2025-04-19T03:01:45Z) - Multi-Stage Retrieval for Operational Technology Cybersecurity Compliance Using Large Language Models: A Railway Casestudy [1.1010026679581653]
This paper proposes a novel system that leverages Large Language Models (LLMs) and multi-stage retrieval to enhance the compliance verification process.
We first evaluate a Baseline Compliance Architecture (BCA) for answering OTCS compliance queries, then develop an extended approach called Parallel Compliance Architecture (PCA)
We demonstrate that the PCA significantly improves both correctness and reasoning quality in compliance verification.
arXiv Detail & Related papers (2025-04-18T19:24:17Z) - The Digital Cybersecurity Expert: How Far Have We Come? [49.89857422097055]
We develop CSEBenchmark, a fine-grained cybersecurity evaluation framework based on 345 knowledge points expected of cybersecurity experts.
We evaluate 12 popular large language models (LLMs) on CSEBenchmark and find that even the best-performing model achieves only 85.42% overall accuracy.
By identifying and addressing specific knowledge gaps in each LLM, we achieve up to an 84% improvement in correcting previously incorrect predictions.
arXiv Detail & Related papers (2025-04-16T05:36:28Z) - Are Users More Willing to Use Formally Verified Password Managers? [47.205801464292485]
We design and implement two experiments to understand how formal verification impacts users.
We focus on the application domain of password managers since it has been documented that the lack of trust in password managers might lead to lower adoption.
We conclude that formal verification is seen as desirable by users and identify three actional recommendations to improve formal verification communication efforts.
arXiv Detail & Related papers (2025-04-02T20:57:49Z) - AILuminate: Introducing v1.0 of the AI Risk and Reliability Benchmark from MLCommons [62.374792825813394]
This paper introduces AILuminate v1.0, the first comprehensive industry-standard benchmark for assessing AI-product risk and reliability.
The benchmark evaluates an AI system's resistance to prompts designed to elicit dangerous, illegal, or undesirable behavior in 12 hazard categories.
arXiv Detail & Related papers (2025-02-19T05:58:52Z) - Cybersecurity Study Programs: What's in a Name? [0.2999888908665658]
Higher education institutions are introducing new cybersecurity programs, attracting students to this expanding field.
Top-ranked universities have not yet fully implemented the guidelines and offer programs that have "cyber" in their name but lack some essential elements of a cybersecurity program.
graduates of these programs may not meet employer expectations and may require additional training.
arXiv Detail & Related papers (2024-11-14T07:14:52Z) - Dual-Technique Privacy & Security Analysis for E-Commerce Websites Through Automated and Manual Implementation [2.7039386580759666]
38.5% of the websites deployed over 50 cookies per session, many of which were categorized as unnecessary or unclear in function.
Our manual assessment uncovered critical gaps in standard security practices, including the absence of mandatory multi-factor authentication and breach notification protocols.
Based on these findings, we recommend targeted improvements to privacy policies, enhanced transparency in cookie usage, and the implementation of stronger authentication protocols.
arXiv Detail & Related papers (2024-10-19T03:25:48Z) - AssessITS: Integrating procedural guidelines and practical evaluation metrics for organizational IT and Cybersecurity risk assessment [0.0]
'AssessITS' aims to enable organizations to enhance their IT security strength actionable based on internationally recognized standards.
'AssessITS' aims to enable organizations to enhance their IT security strength actionable based on internationally recognized standards.
arXiv Detail & Related papers (2024-10-02T17:01:59Z) - An Open Knowledge Graph-Based Approach for Mapping Concepts and Requirements between the EU AI Act and International Standards [1.9142148274342772]
The EU's AI Act will shift the focus of such organizations toward conformance with the technical requirements for regulatory compliance.
This paper offers a simple and repeatable mechanism for mapping the terms and requirements relevant to normative statements in regulations and standards.
arXiv Detail & Related papers (2024-08-21T18:21:09Z) - AuditNet: A Conversational AI-based Security Assistant [DEMO] [10.941722434218262]
We propose a versatile conversational AI assistant framework designed to facilitate compliance checking on the go.
Our framework automates the review, indexing, and retrieval of relevant, context-aware information.
This AI assistant not only reduces the manual effort involved in compliance checks but also enhances accuracy and efficiency.
arXiv Detail & Related papers (2024-07-19T08:33:07Z) - Collection, usage and privacy of mobility data in the enterprise and public administrations [55.2480439325792]
Security measures such as anonymization are needed to protect individuals' privacy.
Within our study, we conducted expert interviews to gain insights into practices in the field.
We survey privacy-enhancing methods in use, which generally do not comply with state-of-the-art standards of differential privacy.
arXiv Detail & Related papers (2024-07-04T08:29:27Z) - Privacy Risks of General-Purpose AI Systems: A Foundation for Investigating Practitioner Perspectives [47.17703009473386]
Powerful AI models have led to impressive leaps in performance across a wide range of tasks.
Privacy concerns have led to a wealth of literature covering various privacy risks and vulnerabilities of AI models.
We conduct a systematic review of these survey papers to provide a concise and usable overview of privacy risks in GPAIS.
arXiv Detail & Related papers (2024-07-02T07:49:48Z) - Assessing The Effectiveness Of Current Cybersecurity Regulations And Policies In The US [0.0]
The study evaluates the impact of these regulations on different sectors and analyzes trends in cybercrime data from 2000 to 2022.
The findings highlight the challenges, successes, and the need for continuous adaptation in the face of evolving cyber threats.
arXiv Detail & Related papers (2024-04-17T15:26:55Z) - A Safe Harbor for AI Evaluation and Red Teaming [124.89885800509505]
Some researchers fear that conducting such research or releasing their findings will result in account suspensions or legal reprisal.
We propose that major AI developers commit to providing a legal and technical safe harbor.
We believe these commitments are a necessary step towards more inclusive and unimpeded community efforts to tackle the risks of generative AI.
arXiv Detail & Related papers (2024-03-07T20:55:08Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - Cultural Differences in Students' Privacy Concerns in Learning Analytics
across Germany, South Korea, Spain, Sweden, and the United States [47.11163387909141]
Students' privacy concerns vary across national and cultural dimensions.
German and Swedish students stood out as the most trusting and least concerned.
Culture measured at the individual level affected the antecedents and outcomes of privacy concerns more than country-level culture.
arXiv Detail & Related papers (2023-12-04T18:10:20Z) - No Trust without regulation! [0.0]
The explosion in performance of Machine Learning (ML) and the potential of its applications are encouraging us to consider its use in industrial systems.
It is still leaving too much to one side the issue of safety and its corollary, regulation and standards.
The European Commission has laid the foundations for moving forward and building solid approaches to the integration of AI-based applications that are safe, trustworthy and respect European ethical values.
arXiv Detail & Related papers (2023-09-27T09:08:41Z) - Expert opinions on making GDPR usable [0.0]
We use as respondents experts working across fields of relevance to four concepts, including law and data protection/privacy, certifications and standardization, and usability.
We employ theory triangulation to analyze the data representing three groups of experts, categorized as 'criterias', 'law', and 'usability', coming both from industry and academia.
arXiv Detail & Related papers (2023-08-16T11:20:16Z) - PLUE: Language Understanding Evaluation Benchmark for Privacy Policies
in English [77.79102359580702]
We introduce the Privacy Policy Language Understanding Evaluation benchmark, a multi-task benchmark for evaluating the privacy policy language understanding.
We also collect a large corpus of privacy policies to enable privacy policy domain-specific language model pre-training.
We demonstrate that domain-specific continual pre-training offers performance improvements across all tasks.
arXiv Detail & Related papers (2022-12-20T05:58:32Z) - Unraveling the Connections between Privacy and Certified Robustness in
Federated Learning Against Poisoning Attacks [68.20436971825941]
Federated learning (FL) provides an efficient paradigm to jointly train a global model leveraging data from distributed users.
Several studies have shown that FL is vulnerable to poisoning attacks.
To protect the privacy of local users, FL is usually trained in a differentially private way.
arXiv Detail & Related papers (2022-09-08T21:01:42Z) - Emergent Insight of the Cyber Security Management for Saudi Arabian
Universities: A Content Analysis [0.0]
The project is designed to assess the cybersecurity management and policies in Saudi Arabian universities.
The subsequent recommendations can be adopted to enhance the security of IT systems.
arXiv Detail & Related papers (2021-10-09T10:48:30Z) - Learning Barrier Certificates: Towards Safe Reinforcement Learning with
Zero Training-time Violations [64.39401322671803]
This paper explores the possibility of safe RL algorithms with zero training-time safety violations.
We propose an algorithm, Co-trained Barrier Certificate for Safe RL (CRABS), which iteratively learns barrier certificates, dynamics models, and policies.
arXiv Detail & Related papers (2021-08-04T04:59:05Z) - Biometrics: Trust, but Verify [49.9641823975828]
Biometric recognition has exploded into a plethora of different applications around the globe.
There are a number of outstanding problems and concerns pertaining to the various sub-modules of biometric recognition systems.
arXiv Detail & Related papers (2021-05-14T03:07:25Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.