This paper presents the requirements, design, development, and evaluation of a container-based cyber range for cybersecurity training and education named Cyber Range Lite (CRL). CRL is a scalable, lightweight platform with well-defined interfaces tailored to educational contexts. Cybersecurity exercises, or challenges, are described using a YAML-based template and deployed via Docker container images, which simulate a networked environment with a large number of hosts orchestrated by Docker Swarm. Students access the system through WireGuard VPN tunnels. We initially tested CRL using jeopardy-style Capture The Flag (CTF) exercises, comprising independent challenges. We then extended it to a virtual network scenario where students must solve challenges in a prescribed sequence. CRL was deployed and evaluated in an advanced-level ethical hacking course, where we compared its functionality, cost, and student feedback against a previous cyber range implementation based on virtual machines hosted on the Google Cloud Platform. Our results indicate that CRL offers a cost-effective and pedagogically flexible alternative for hands-on cybersecurity education. 

In this chapter, we present the pedagogical possibilities of AI as well as the challenges it poses in education. AI is not merely a new technological tool but represents a fundamental shift in how students interact with knowledge, assignments, and learning environments. As educators, we must navigate questions of academic integrity, skill development, and pedagogical alignment, as AI tools are increasingly becoming part of learning and assessment practices. We consider how AI can support learning and possibly replace traditional methods; however, concerns about overreliance, misinformation, and the erosion of critical thinking remain. We share examples based on examination instances, honesty statements, and our observations on the impact of these tools on the learning experiences of students at Karlstad University and Jönköping University. These insights stem from our recent experiences, as well as students’ reflections and behaviors. Finally, we share insights and takeaways for the future use of AI in teaching and assessment, emphasizing the importance of transparent communication, clear boundaries, and a pedagogical focus on learning outcomes.

The safe and efficient operation of automated vehicles requires processing massive amounts of sensor data. However, the computational capabilities of vehicles are often limited. Recent results point to computational offloading as a promising solution for transferring raw sensor data to be processed elsewhere. This alleviates vehicles from performing costly computations while increasing their perception of complex environments. The work in this paper evaluates the resilience of such solutions, specifically focusing on adverse network conditions, which are often overlooked when evaluating computational offloading. To emulate adverse network conditions, we use synthetic network interference that includes, e.g., packet loss, throughput rate limiting, packet corruption, and RF attenuation. We conducted experiments with a real vehicle on a test track, where object detection was offloaded to an edge server. An optical camera, one of the most common perception sensors, was mounted on the vehicle to scan the environment. The experimental results indicate that network conditions can significantly impact the object detection performance. Packet loss and packet corruption proved to be especially impactful on the accuracy of detections. During the scenario of 5% packet corruption, the median value of false detections reached as high as 20%. The results emphasize the need for resilience and robustness to poor network conditions when designing computational offloading strategies. 

This book constitutes the refereed proceedings of the 29th International Conference on Secure IT Systems, NordSec 2024, held in Karlstad, Sweden, during November 6–7, 2024.

The 25 full papers presented in this book were carefully reviewed and selected from 59 submissions. They focus on topics such as: Authentication; Cryptography; Cyber-Physical Systems; Cybersecurity and Policy; LLMs for Security; Formal Verification; Mobile and IoT; Network Security; and Privacy.

Vehicular Ad Hoc Networks (VANETs) play a crucial rolein the evolution of Intelligent Transportation Systems. The problems ofrenting and drivers’ accountability still need to be answered in VANETs.Existing proposals do not consider renting vehicles, and there is nodistinction between renters and owners. This paper proposes privacy-preserving rental and accountability protocols to address these problems.The proposed rental protocol outputs an agreement between an ownerand a renter, which allows the renter to unlock and drive the vehicle.The privacy-preserving accountability protocol offers a robust solutionfor detecting and mitigating malicious behavior in VANETs. It provides aplatform for holding entities accountable for their actions without violating their privacy. The paper demonstrates that our solution successfullymeets the pre-set security and privacy requirements in VANETs. Thesefindings suggest promising potential for improving future vehicular networks’ safety, efficiency, and performance.

Vehicular Ad-hoc Networks (VANETs) enable communications between vehicles and infrastructure and are a key part of future Intelligent Transportation Systems. Significant advancements have been made in ensuring anonymous and secure communication within VANETs; however, integrating privacy-preserving vehicle rentals in VANETS is an unsolved problem. Existing protocols do not address the unique challenges posed by vehicle sharing and rentals, particularly regarding vehicle owners’ and renters’ privacy. This paper proposes a novel rental protocol within VANETs. Our solution is based on delegatable anonymous credentials and NonInteractive Zero-Knowledge (NIZK) proofs. It allows drivers to securely delegate credentials to vehicles. This approach ensures that each vehicle broadcasts authenticated messages, verified through NIZK proofs, while the identity of the actual driver is verifiably escrowed to an inspector that can lift driver privacy in case of abuse. The latter property implements accountability into the system. Our protocol addresses the trust issues inherent in previous systems by providing a robust mechanism for privacy-preserving, accountable vehicle rentals in VANETs, enhancing the overall security and functionality of these networks.

Consenting to digital services’ privacy policies is standard practice. It often occurs at the early stage of interactions with a given service—during the sign-up process. Still, the most common way of acquiring consent from users is through their acknowledgment of policies by ticking a box. Consequently, users consent, mostly blindly, as they are unlikely to review the full text of policies. The current article presents research investigating factors that may impact user interaction with privacy policies, focusing on the underresearched topic of affective states (valence and arousal). The results of an online experiment (N=88) indicate that privacy policy design can elicit specific affective responses and, when accounting for some characteristics of individuals (e.g., personality traits), it can influence users’ attitudes and behaviors. Particularly, the findings show that privacy awareness and willingness to disclose information might be impacted. Additionally, the analysis of collected data suggests significant associations between some personality traits and affective states, as well as a strong relationship between privacy concerns and willingness to disclose information, contradicting the concept of privacy paradox, often discussed in the privacy literature. Moreover, the results of our qualitative inquiry, where the study respondents had a chance to elaborate on their decisions to agree or disagree with the privacy policy by answering an open-ended question, confirm the quantitative findings, and reveal some of the users needs considering the sign-up process.

In vehicular ad hoc networks (VANETs), vehicles exchange messages to improve traffic and passengers’ safety. In VANETs, (passive) adversaries can track vehicles (and their drivers) by analyzing the data exchanged in the network. The use of privacy-enhancing technologies can prevent vehicle tracking but solutions so far proposed either require an intermittent connection to a fixed infrastructure or allow vehicles to generate concurrent pseudonyms which could lead to identity-based (Sybil) attacks. In this paper, we propose an anonymous authentication scheme that does not require a connection to a fixed infrastructure during operation and is not vulnerable to Sybil attacks. Our scheme is built on attribute-based credentials and short lived pseudonyms. In it, vehicles interact with a central authority only once, for registering themselves, and then generate their own pseudonyms without interacting with other devices, or relying on a central authority or a trusted third party. The pseudonyms are periodically refreshed, following system wide epochs.

In this paper, we report on designing and deploying an on-campus, highly practical ethical hacking course   using the foundation of Kungl. Tekniska Högskolan's (KTH) existing, well-established, distance-based course. We explain our course organization, structure, and delivery and present the students' formative and summative feedback and their results. Moreover, we justify the choice of our platform, a custom GCP-based cyber range with twelve capture the flag exercises designed for an online ethical hacking course, and how our on-campus course was implemented around it. Our ethical hacking course is organized around ten mandatory lectures, seven flag reports and three lectures on ethics, two demonstrations, and four guest lectures. The student evaluation is continuous and based on the flags captured. Our collected data indicates the amount of effort spent on each exercise, the used hints, and for how long most of the students were actively solving the exercises. The students' feedback indicates they were overwhelmingly satisfied with the course elements and teaching staff. Finally, we propose changes to elements of our ethical hacking course. The course was delivered at Karlstad University over nine weeks between January and March 2023 for 24 students.

When people sign-up to new online services, privacy notices are the initial means by which data handling practices are communicated. Yet, their design seldom ensures users' privacy comprehension or provides people with privacy choices, resulting in negative feelings associated with the sign-up process. In this paper, we investigate how to improve privacy notice design to enhance privacy comprehension and control, while inducing more positive feelings towards these notices. In an online experiment (N=620), we examine the factors of curiosity, privacy concerns, trust, and time. We study how these factors and visual designs of notices (framing and control) influence privacy comprehension, intention to disclose, and affect (negative-positive). Our results show that, depending on an individual's level of curiosity, control can influence privacy comprehension, disclosure, and affect. We demonstrate that affect moderates the relationship between privacy concerns and disclosure. We elaborate on our results, highlighting how privacy notices that activate curiosity and provide control, could enhance usability and strengthen privacy-conscious behaviors.