Dr. Guillermo A Francia III

This conference paper was published in the proceedings for CSCE 2024.
This paper describes ongoing research on the use of Generative Artificial Intelligence (GenAI) in generating learning objects. Learning Objects are digital or non-digital artifacts, which can be used, re-used or referenced to augment or enhance the learning process. Examples of these are presentation slides, images, text, surveys, quizzes, and hands-on exercises. The unprecedented availability and capability of GenAI tools in recent years brings us to consider how their technical capacities and abilities can bring about effective and useful learning objects. We first explore the published literature to survey work that has been reported in the field of applied GenAI to generate learning objects. Next, we provide a review of their technical features and closely look at the distinctive features of the tools used in various GenAI models. The focus of this research is to develop a method of utilizing freely available GenAI tools to expedite the generation of learning objects and to evaluate their effectiveness. Specifically, we seek to optimize the utilization of these AI-generated learning objects for active-learning applications and learning best practices.

The rise of automated technologies due to recent advances in Intelligent Transportation systems (ITS) from autonomous delivery services to physical transportation is rapidly developing and public availability is imminent with the active deployment and testing of teleoperation models launching this reality. With the inaugural release of the National Roadway Safety Strategy in 2022, the U.S. National transportation industry initiative aims for a goal of zero roadway fatalities and part of the solution is in designing safer autonomous or self-driving vehicle systems as viable forms of transport [14]. This initiative is prompted by the fact that worldwide vehicle related accidents result in 1.3 million deaths annually [13]. Further, this ambitious commitment to deliver safety and reliability in automotive teleoperations is commendable and will require further intentional efforts to focus on mitigating existing cybersecurity vulnerability and threat concerns. Additionally, the automotive industry supports integration of cybersecurity risk assessment and management through enforcing the joint International Organization for Standardization and Society of Automobile Engineers (ISO/SAE) 21434 standard and governance on road vehicle systems design and development. This ongoing research aims to develop a comprehensive framework to aid in threat mitigation by providing a conceptual information exchange flow model on Connected Autonomous Vehicle (CAV) and utilizing existing knowledge of threats to general information system security. By identifying the information flow, threat analysis and risk assessment risk based on threat vectors may be combined hybrid model approach annotating a ranked list to display classify risk factors into three severity levels: high, medium, low. This is an integral part of an overarching research on the design and development of a set of methodologies supporting the automotive industry toward the prevention of connected automotive cybersecurity vulnerability exploitation and promoting risk mitigation.

The rapid advancement of automotive vehicle communication technology ushered in the expansion of the cyber-attack surface on this type of transport system. A recent study projects that there will be 200 million vehicles on the road worldwide with embedded connectivity by 2025. The security and safety of these vehicles and, most importantly, their occupants are paramount. Recognizing this need, organizations consisting of entities from governments, manufacturers, service providers, professionals, and/or trade groups are constantly introducing, revising, and updating automotive vehicle security standards and regulations. This chapter examines the state of automotive vehicle communication, their vulnerabilities and security issues, the existing security standards and regulations that apply to this type of transport, and the compliance and auditing issues related to these directives. The chapter concludes with reflections and directions for continuous improvements and future research.

Recent decades have seen a proliferation of cybersecurity guidance in the form of government regulations and standards with which organizations must comply. As society becomes more heavily dependent on cyberspace, increasing levels of security measures will need to be established and maintained to protect the confidentiality, integrity, and availability of information. Global Perspectives on Information Security Regulations: Compliance, Controls, and Assurance summarizes current cybersecurity guidance and provides a compendium of innovative and state-of-the-art compliance and assurance practices and tools. It provides a synopsis of current cybersecurity guidance that organizations should consider so that management and their auditors can regularly evaluate their extent of compliance. Covering topics such as cybersecurity laws, deepfakes, and information protection, this premier reference source is an excellent resource for cybersecurity consultants and professionals, IT specialists, business leaders and managers, government officials, faculty and administration of both K-12 and higher education, libraries, students and educators of higher education, researchers, and academicians.
Recent decades have seen a proliferation of cybersecurity guidance in the form of government regulations and standards with which organizations must comply. As society becomes more heavily dependent on cyberspace, increasing levels of security measures will need to be established and maintained to protect the confidentiality, integrity, and availability of information. Global Perspectives on Information Security Regulations: Compliance, Controls, and Assurance summarizes current cybersecurity guidance and provides a compendium of innovative and state-of-the-art compliance and assurance practices and tools. It provides a synopsis of current cybersecurity guidance that organizations should consider so that management and their auditors can regularly evaluate their extent of compliance. Covering topics such as cybersecurity laws, deepfakes, and information protection, this premier reference source is an excellent resource for cybersecurity consultants and professionals, IT specialists, business leaders and managers, government officials, faculty and administration of both K-12 and higher education, libraries, students and educators of higher education, researchers, and academicians.

Human and system behaviors, as they relate to information security, are facets that have always been hard to measure. Simply put, there are too many factors to account for when considering the knowledge, experiences, and relationships of individuals. And when these are coupled with information systems, their complexities rise to several levels of magnitude. Given the absence of empirical data, we argue for the utilization of an agent-based modeling and simulation system toward gaining an understanding of entity behavior in cyber space. In this chapter, we report the results of an ongoing research project, which utilizes agent-based models and scenarios to simulate the effect of user trust, adversary sophistication, user training, and system defenses on cybersecurity. These independent simulations utilize software agents that assume certain predefined attributes to emulate their physical counterparts on an environment that represents the cyber space.

The emergence of connected and autonomous vehicles at an unprecedented pace ushered several state-sponsored initiatives to start planning and building a transportation information network that utilizes intelligent sensors and sophisticated communication systems. Peripheral sensors that are used to assist the human operator in lane changing, obstacle avoidance, and parking are slowly being integrated in modern automotive vehicles. Although this newly found convenience is a boon to the society, both socially and economically, it presents security challenges that are endemic to connected technologies. These challenges underscore the need to look closely at the state of automotive vehicle network security. Consequently, security metrics must be developed in order to measure the state of vehicle network security. As a major component of continuous improvement, quantitative and qualitative measures must be devised to be able to make a full appreciation of the process. This chapter describes vehicle network security metrics and derives sample attack calculations to illustrate their applicability.

The innovations in the interconnectivity of vehicles enable both expediency and insecurity. Surely, the convenience of gathering real-time information on traffic and weather conditions, the vehicle maintenance status, and the prevailing condition of the transport system at a macro level for infrastructure planning purposes is a boon to society. However, this newly found conveniences present unintended consequences. Specifically, the advancements on automation and connectivity are outpacing the developments in security and safety. We simply cannot afford to make the same mistakes similar to those that are prevalent in our critical infrastructures. Starting at the lowest level, numerous vulnerabilities have been identified in the internal communication network of vehicles. This study is a contribution towards the broad effort of securing the communication network of vehicles through the use of Machine Learning.

Our ever-increasing dependence on information technology brings us to new crossroads and challenges confronting national security protection. Both private and public entities recognized these issues and are currently making progress toward addressing the problems of cybersecurity. A major component of cybersecurity, or any technical program, is effective training that could alleviate, if not eliminate, the threat imposed by the adversarial entities.
Training programs are guided by learning processes that could utilize passive and active learning strategies. While passive learning incorporates rote learning, active learning places more responsibility to students by engaging them in problem-based or case-based learning processes. The student is presented with interactive scenarios which facilitate the progression of the student toward a solution to the problem. In following the storyline, the students apply their acquired domain knowledge and critical thinking skills while receiving constructive feedback based on the decisions that they have made (Massey University of New Zealand, 2020).
Recognizing these needs, we initiated an innovative cybersecurity training and education project with the following objectives: to design, develop, test, and deploy a highly interactive, automated, and intelligent cybersecurity scenario builder and retrieval software toolkit for active cybersecurity learning; to build a virtual machine (VM) that will accompany each scenario; and to facilitate the deployment of the scenarios on a cyber range. Each scenario will be created using our novel concept: Open Virtualization Scenario.

The daily intrusion attempts and attacks on industrial control systems (ICS) and embedded systems (ES) underscore the criticality of the protection of our Critical Infrastructures (CIs). As recent as mid-July 2018, numerous reports on the infiltration of US utility control rooms by Russian hackers have been published. This successful infiltration and possible manipulation of the utility companies could easily translate to a devastating attack on our nation’s power grid and, consequently, our economy and well-being. Indeed, the need to secure the control and embedded systems which operate our CIs has never been so pronounced. In our attempt to address this critical need, we designed, developed and implemented ICS and ES security curriculum modules with pertinent hands-on laboratory exercises that can be freely adopted across the national setting. This paper describes in detail the modules and the accompanying exercises and proposes future enhancements and extensions to these pedagogical instruments. It highlights the interaction between control and embedded systems security with Presidential Policy Directive 8- the National Preparedness Plan (NPP), cyber risk management, incident handling. To establish the premise the laboratory exercises were developed. This chapter outlines the description and content of the modules in the areas of (1) Industrial Control Systems (ICS) Security, (2) embedded systems (ES), and (3) guidelines, standards, and policy.
The ICS security modules cover the predominant ICS protocols, ladder logic programming, Human Machine Interface (HMI), defensive techniques, ICS reconnaissance, vulnerability assessment, Intrusion detection, and penetration testing. The ES security modules include topics such as secure firmware programming and authentication mechanisms. In the guidelines, standards, and policy section, the topics covered by the modules include the NPP as it relates to CI protection, risk management, system protection and policy design, and managing operations and controls. An overview of the various hands-on exercises that accompany the course modules is also presented. Further, to evaluate the effectiveness of the pedagogical materials, an initial evaluation was conducted and the survey data were collected, analyzed, and presented. The paper concludes with future enhancements and directives on opportunities for module extensions and course adoption.
In June 2017, the National Institute of Standards and Technology (NIST) published the first revision to the NIST SP 800-12 document, which contains guidelines that addresses the assessment and analysis of security control effectiveness and security posture of an organization. This chapter provides details on the design and implementation of embedded systems (ESs) and industrial control systems (ICSs) security curriculum resources. It presents lessons learned at various information security conferences and offers mini-training workshops to widely disseminate the learning module to the Center for Academic Excellence (CAE) community. The ongoing project will build on the success of the concluded ICS workshop to effectively fill a void in cybersecurity training for the CAE community and the Department of Defense (DoD) training personnel across the nation. It will have significant contributions to the Cybersecurity National Action Plan (CNAP) on addressing the expansion of the national cybersecurity workforce.

Situations such as improvements in business transaction processing and various security issues keep today's information systems in a constant state of change. Serious disruption of company operations can occur when changes are improperly planned and/or carried out. In addition to technological issues, an equally important consideration is in regard to how information system changes will affect organizational personnel. The Institute of Internal Auditors has identified seven steps that can be used to effectively implement change in an information system environment. This along with a discussion of significant issues in managing system patches provides an appropriate background to consider a model for evaluating the maturity of an organization's change management process in an information system environment. The highly respected COBIT guidance from the ISACA is included throughout much of the discussion to provide support for many of the suggested change management practices.