Search for: All records

Over the past decade, Internet centralization and its implications for privacy, resilience, and innovation have become a topic of active debate. While the networking community informally agrees on the definition of centralization, we lack a formal metric for quantifying it, which has limited in-depth analysis. In this work, we introduce a rigorous statistical metric for Internet centralization. In doing so, we also uncover how regionalization—geopolitical dependence on the Internet—fundamentally affects centralization. We argue that centralization and regionalization are intertwined forms of dependence that both affect the lived experiences of users and should be jointly studied. We develop a suite of statistical tools, which we use to better understand dependence across three layers of web infrastructure—hosting providers, DNS infrastructure, certificate authorities—in 150 countries. We hope that this statistical toolkit can serve as the foundation for future analysis of Internet behavior. 

To combat the deluge of enterprise breaches, government agencies have developed and published a wealth of cybersecurity guidance for organizations. However, little research has studied this advice. In this paper, we conduct the first systematic analysis of government guidance for enterprise security. We curate a corpus of prominent guidance documents from 41 countries and analyze the availability of advice, the coverage provided by the advice, and the consistency of advice across countries. To facilitate detailed analysis and comparisons, we develop a tree-based taxonomy and quantitative comparison metric, and then apply these tools to analyze “essential” enterprise best practice documents from ten countries. Our results highlight a lack of consensus among the governments’ frameworks we analyzed—even among close allies—about what security measures to recommend and how to present guidance. 

Chief Information Security Officers (CISOs) are responsible for setting and executing organizations’ information security strategies. This role has only grown in importance as a result of today’s increasingly high-stakes threat landscape. To understand these key decision-makers, we interviewed 16 current and former CISOs to understand how they build a security strategy and the day-to-day obstacles that they face. Throughout, we find that the CISO role is strongly shaped by a business enablement perspective, driven by broad organizational goals beyond solely technical protection. Within that framing, we describe the most salient concerns for CISOs, isolate key decision-making factors they use when prioritizing security investments, and surface practical complexities and pain points that they face in executing their strategy. Our results surface opportunities to help CISOs better navigate the complex task of managing organizational risk, as well as lessons for how security tools can be made more deployable in practice. 

Augmented reality (AR) technologies, such as Microsoft’s HoloLens head-mounted display and AR-enabled car windshields, are rapidly emerging. AR applications provide users with immersive virtual experiences by capturing input from a user’s surroundings and overlaying virtual output on the user’s perception of the real world. These applications enable users to interact with and perceive virtual content in fundamentally new ways. However, the immersive nature of AR applications raises serious security and privacy concerns. Prior work has focused primarily on input privacy risks stemming from applications with unrestricted access to sensor data. However, the risks associated with malicious or buggy AR output remain largely unexplored. For example, an AR windshield application could intentionally or accidentally obscure oncoming vehicles or safety-critical output of other AR applications. In this work, we address the fundamental challenge of securing AR output in the face of malicious or buggy applications. We design, prototype, and evaluate Arya, an AR platform that controls application output according to policies specified in a constrained yet expressive policy framework. In doing so, we identify and overcome numerous challenges in securing AR output.