Backend as a service (BaaS), sometimes also referred to as mobile backend as a service (MBaaS), is a service for providing web app and mobile app developers with a way to easily build a backend to their frontend applications. Features available include user management, push notifications, and integration with social networking services. These services are provided via the use of custom software development kits (SDKs) and application programming interfaces (APIs). BaaS is a relatively recent development in cloud computing, with most BaaS startups dating from 2011 or later. Some of the most popular service providers are AWS Amplify and Firebase. == Purpose == Web and mobile apps require a similar set of features on the backend, including notification service, integration with social networks, and cloud storage. Each of these services has its own API that must be individually incorporated into an app, a process that can be time-consuming and complicated for app developers. BaaS providers form a bridge between the frontend of an application and various cloud-based backends via a unified API and SDK. Providing a consistent way to manage backend data means that developers do not need to redevelop their own backend for each of the services that their apps need to access, potentially saving both time and money. Although similar to other cloud-computing business models, such as serverless computing, software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS), BaaS is distinct from these other services in that it specifically addresses the cloud-computing needs of web and mobile app developers by providing a unified means of connecting their apps to cloud services. == Features == BaaS providers offer different set of features and backend tools. Some of the most common features include: Database management. Most BaaS solutions provide SQL and/or NoSQL database management services for applications. Developers can store their app data without deploying and managing databases themselves. BaaS usually provides client SDKs, REST and GraphQL APIs for the frontend to interact with databases. File storage. BaaS providers often offer storage solutions for media files, user uploads, and other binary data. Applications can upload, download, and delete files through provided SDKs and APIs. Authentication and authorization. Some BaaS offer authentication and authorization services that allow developers to easily manage app users. This includes user sign-up, login, password reset, social media login integration through OAuth, user group and permission management etc. Notification service. Some BaaS providers such as Firebase and AWS Amplify have notification services that can send custom emails to users and push native notifications on mobile platforms. This is especially useful for applications that need to send messages, alerts, and reminders. Cloud functions. Some BaaS allow developers to deploy and run serverless functions. The functions are usually stateless and can be triggered by various ways including HTTP requests, SDK invocation, background server events, and cloud scheduled executions. Different providers offer runtime support for different languages, some of the popular languages are JavaScript/TypeScript (Node.js, Deno), Python, Java/Kotlin. Cloud functions extend the potential and flexibility of BaaS by allowing developers to write custom functionalities for their apps, working in a way similar to a traditional REST API backend framework. Usage analytics. Analytics data about application usage is often included in BaaS. This allows developers to monitor user behaviors and make decisions correspondingly in marketing strategies and performance optimizations. UI design. Some BaaS providers, such as AWS Amplify and Backendless, offer user interface designing tools that help developers design the frontend UI of web and mobile apps. While this may be useful for small teams and individual developers, UI design assistance may not be conventional in BaaS as it goes beyond the scope of backend infrastructure. Real-Time. Real-time features in a BaaS platform ensure that data updates and synchronizations occur instantly across all clients, making changes immediately visible to users. This is crucial for applications like live chat and collaborative tools, using technologies like WebSockets to maintain continuous server-client connections. == Service providers == BaaS providers have a broad focus, providing SDKs and APIs that work for app development on multiple platforms with different technology stacks, such as JavaScript (for Web apps), Flutter, Java/Kotlin (for Android apps), Swift/Objective-C (for iOS/MacOS/WatchOS/TvOS apps), .NET (for Windows) and others. BaaS providers also come in different types, suiting developers of different needs. === Cloud-based BaaS === Most BaaS providers host backend platforms on their cloud servers. They also manage the infrastructure, security, and scalability of the platforms. Developers can access the backend services via a web interface or the provided APIs. Some examples of cloud-based BaaS include Firebase (hosted on Google Cloud Platform), AWS Amplify (hosted on Amazon Web Services), and Microsoft Azure Mobile Apps (hosted on Microsoft Azure). === Self-hosted BaaS === Self-hosted BaaS allow developers to host backend on their own servers, providing more flexibility and potential to customization compared to cloud-based BaaS, which often is more difficult to migrate from. However, developers are also in charge of managing the infrastructure, security, and scalability of their servers. === Mobile BaaS === Mobile backend as a service (MBaaS) is a type of BaaS specifically for applications deployed in mobile systems. While some references use MBaaS interchangeably for BaaS, BaaS can have a wider variety of support such as for web apps and desktop apps. == Business model == BaaS providers generate revenue from their services in various ways, often using a freemium model. Under this model, a client receives a certain number of free active users or API calls per month, and pays a fee for each user or call over this limit. Alternatively, clients can pay a set fee for a package which allows for a greater number of calls or active users per month. There are also flat fee plans that make the pricing more predictable. Some of the providers offer the unlimited API calls inside their free plan offerings. Another business model that has been used by a lot of BaaS providers is PAYG (pay as you go), which has a flexible cost based on developers' usage of database, storage, bandwidth, function calls, user numbers etc.
Confused deputy problem
In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation. The confused deputy problem is often cited as an example of why capability-based security is important. Capability systems protect against the confused deputy problem, whereas access-control list–based systems do not. Such systems can mitigate the confused deputy problem by eliminating ambient authority, allowing programs to act only on resources for which they hold explicit capabilities, whereas access-control list–based systems are more susceptible to it. However, this protection depends on correct implementation; in formally verified capability systems such as seL4, it can be shown that the kernel enforces capability constraints correctly, preventing such behavior at the system level. == Example == In the original example of a confused deputy, there was a compiler program provided on a commercial timesharing service. Users could run the compiler and optionally specify a filename where it would write debugging output, and the compiler would be able to write to that file if the user had permission to write there. The compiler also collected statistics about language feature usage. Those statistics were stored in a file called "(SYSX)STAT", in the directory "SYSX". To make this possible, the compiler program was given permission to write to files in SYSX. But there were other files in SYSX: in particular, the system's billing information was stored in a file "(SYSX)BILL". A user ran the compiler and named "(SYSX)BILL" as the desired debugging output file. This produced a confused deputy problem. The compiler made a request to the operating system to open (SYSX)BILL. Even though the user did not have access to that file, the compiler did, so the open succeeded. The compiler wrote the compilation output to the file (here "(SYSX)BILL") as normal, overwriting it, and the billing information was destroyed. === The confused deputy === In this example, the compiler program is the deputy because it is acting at the request of the user. The program is seen as 'confused' because it was tricked into overwriting the system's billing file. Whenever a program tries to access a file, the operating system needs to know two things: which file the program is asking for, and whether the program has permission to access the file. In the example, the file is designated by its name, “(SYSX)BILL”. The program receives the file name from the user, but does not know whether the user had permission to write the file. When the program opens the file, the system uses the program's permission, not the user's. When the file name was passed from the user to the program, the permission did not go along with it; the permission was increased by the system silently and automatically. It is not essential to the attack that the billing file be designated by a name represented as a string. The essential points are that: the designator for the file does not carry the full authority needed to access the file; the program's own permission to access the file is used implicitly. == Other examples == A cross-site request forgery (CSRF) is an example of a confused deputy attack that uses the web browser to perform sensitive actions against a web application. A common form of this attack occurs when a web application uses a cookie to authenticate all requests transmitted by a browser. Using JavaScript, an attacker can force a browser into transmitting authenticated HTTP requests. The Samy computer worm used cross-site scripting (XSS) to turn the browser's authenticated MySpace session into a confused deputy. Using XSS the worm forced the browser into posting an executable copy of the worm as a MySpace message which was then viewed and executed by friends of the infected user. Clickjacking is an attack where the user acts as the confused deputy. In this attack a user thinks they are harmlessly browsing a website (an attacker-controlled website) but they are in fact tricked into performing sensitive actions on another website. An FTP bounce attack can allow an attacker to connect indirectly to TCP ports to which the attacker's machine has no access, using a remote FTP server as the confused deputy. Another example relates to personal firewall software. It can restrict Internet access for specific applications. Some applications circumvent this by starting a browser with instructions to access a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking "OK" to these prompts. Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority. Another example is when an administrator authorizes an AI agent to act on their behalf, and that AI subsequently delegates authority to another AI agent neither vetted nor authorized by the original administrator. The unvetted AI can then act without permissions or oversight from the original developer. == Solutions == In some systems it is possible to ask the operating system to open a file using the permissions of another client. This solution has some drawbacks: It requires explicit attention to security by the server. A naive or careless server might not take this extra step. It becomes more difficult to identify the correct permission if the server is in turn the client of another service and wants to pass along access to the file. It requires the client to trust the server to not abuse the borrowed permissions. Note that intersecting the server and client's permissions does not solve the problem either, because the server may then have to be given very wide permissions (all of the time, rather than those needed for a given request) in order to act for arbitrary clients. The simplest way to solve the confused deputy problem is to bundle together the designation of an object and the permission to access that object. This is exactly what a capability is. Using capability security in the compiler example, the client would pass to the server a capability to the output file, such as a file descriptor, rather than the name of the file. Since it lacks a capability to the billing file, it cannot designate that file for output. In the cross-site request forgery example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.
Generalized nondeterministic finite automaton
In the theory of computation, a generalized nondeterministic finite automaton (GNFA), also known as an expression automaton or a generalized nondeterministic finite state machine, is a variation of a nondeterministic finite automaton (NFA) where each transition is labeled with any regular expression. The GNFA reads blocks of symbols from the input which constitute a string as defined by the regular expression on the transition. There are several differences between a standard finite state machine and a generalized nondeterministic finite state machine. A GNFA must have only one start state and one accept state, and these cannot be the same state, whereas an NFA or DFA both may have several accept states, and the start state can be an accept state. A GNFA must have only one transition between any two states, whereas a NFA or DFA both allow for numerous transitions between states. In a GNFA, a state has a single transition to every state in the machine, although often it is a convention to ignore the transitions that are labelled with the empty set when drawing generalized nondeterministic finite state machines. == Formal definition == A GNFA can be defined as a 5-tuple, (S, Σ, T, s, a), consisting of a finite set of states (S); a finite set called the alphabet (Σ); a transition function (T : (S ∖ {\displaystyle \setminus } {a}) × (S ∖ {\displaystyle \setminus } {s}) → R); a start state (s ∈ S); an accept state (a ∈ S); where R is the collection of all regular expressions over the alphabet Σ. The transition function takes as its argument a pair of two states and outputs a regular expression (the label of the transition). This differs from other finite state machines, which take as input a single state and an input from the alphabet (or the empty string in the case of nondeterministic finite state machines) and outputs the next state (or the set of possible states in the case of nondeterministic finite state machines). A DFA or NFA can easily be converted into a GNFA and then the GNFA can be easily converted into a regular expression by repeatedly collapsing parts of it to single edges until S = {s, a}. Similarly, GNFAs can be reduced to NFAs by changing regular expression operators into new edges until each edge is labelled with a regular expression matching a single string of length at most 1. NFAs, in turn, can be reduced to DFAs using the powerset construction. This shows that GNFAs recognize the same set of formal languages as DFAs and NFAs.
Frank Hutter
Frank Hutter is a German computer scientist recognized for his contributions to machine learning, particularly in the areas of automated machine learning (AutoML), hyperparameter optimization, meta-learning and tabular machine learning. He is currently a Hector-Endowed Fellow and PI at the ELLIS Institute Tübingen and a Full Professor (W3) for Machine Learning at the Department of Computer Science, University of Freiburg. Hutter is known for his role in establishing AutoML as a key area in artificial intelligence research. == Education and academic career == Frank Hutter received his academic training in computer science at Darmstadt University of Technology, where he completed his Vordiplom (comparable to a BSc) and Hauptdiplom (equivalent to MSc) by 2004. He later pursued his PhD at the University of British Columbia, under the supervision of Profs. Holger Hoos, Kevin Leyton-Brown and Kevin Murphy, where his doctoral thesis, titled "Automated Configuration of Algorithms for Solving Hard Computational Problems," was awarded the CAIAC Doctoral Dissertation Award for the best thesis in Artificial Intelligence completed at a Canadian university in 2009. Hutter did his postdoctoral research at the University of British Columbia, where he worked from 2009 to 2013. In 2013, he moved to the University of Freiburg, initially leading an Emmy Noether Research Group, and in 2017, he was appointed as a Full Professor. His contributions to machine learning have been recognized globally, particularly his work in AutoML and hyperparameter optimization. Overall, Hutter has authored over 180 peer-reviewed publications, which have garnered more than 89,000 citations, reflecting the high impact of his work. == Contributions in AutoML == Hutter's early research laid the groundwork for the field of Automated Machine Learning (AutoML). He has been a key figure in establishing AutoML as a distinct research area. Along with various colleagues, he organized the AutoML workshops from 2014 to 2021, wrote the first book on AutoML and taught the first MOOC on AutoML. He also co-founded the AutoML conference in 2022 and served as its general chair the first two years. He also published prominent works in various subfields of AutoML, such as hyperparameter optimization, neural architecture search, meta-Learning and AutoML systems. He is currently the most highly cited researcher in AutoML. == Contributions in machine learning for tabular data == Hutter has also made many contributions to machine learning for tabular data. He led the development of the first widely adopted AutoML system for tabular data, AutoWEKA, which was published at KDD 2013 and received the test of time award at KDD (2023). Subsequently, he led the development of Auto-sklearn, the first highly used AutoML system for tabular data in Python, and with it, won the first international AutoML challenge and the subsequent second international AutoML challenge, both of which only included tabular data. More recently, he focused on tabular foundation models, including TabPFN, which was published in Nature magazine. In 2024, he also co-founded Prior Labs, the first company focusing on tabular foundation models. == Awards and honors == Hutter has received numerous awards throughout his career. In 2023, he won the KDD Test of Time Award for Research together with Chris Thornton, Holger H. Hoos, and Kevin Leyton-Brown. He has received three grants from the ERC, including the ERC Starting Grant (2016) and ERC Consolidator Grant (2022), as well as an ERC Proof of Concept Grant (2020). In 2021, he became an ELLIS Unit Director and was also recognized as a EurAI Fellow, in addition to receiving the AIJ Prominent Paper Award. Earlier, he was a recipient of the Google Faculty Research Award in 2018. His groundbreaking research was acknowledged early in his career with the IJCAI Distinguished Paper Award in 2013 and the IJCAI/JAIR Best Paper Prize in 2010. == Representative publications == Hutter, F. Kotthoff, L. and Vanschoren, J., editors. Automated machine learning: methods, systems, challenges, Springer Nature, 2019. www.automl.org/book. Feurer, M., Klein, A., Eggensperger, K., Springenberg, T., Blum, M., Hutter, F. Efficient and Robust Automated Machine Learning. In NeurIPS 2015. Loshchilov, I., and Hutter, F. Decoupled weight decay regularization. In ICLR 2018. Zela, A., Elsken, T. ,Saikia, T. ,Marrakschi, Y. ,Brox, T. and Hutter. ,F.Understanding and Robustifying Differentiable Architecture Search. In ICLR 2020. Hollmann, N., Müller, S., Eggensperger, K. and Hutter, F. TabPFN: A Transformer That Solves Small Tabular Classification Problems in a Second, In ICLR 2023.
Ayanna Howard
Ayanna MacCalla Howard (born January 24, 1972) is an American roboticist, entrepreneur, and educator currently serving as the dean of the College of Engineering at Ohio State University. Assuming this role in March 2021, Howard became the first woman to lead the Ohio State College of Engineering. Howard previously served as the chair of the School of Interactive Computing in the Georgia Tech College of Computing, the Linda J. and Mark C. Smith Endowed Chair in Bioengineering in the School of Electrical and Computer Engineering, and the director of the Human-Automation Systems (Humans) Lab. == Early life and education == As a little girl, Howard was interested in aliens and robots. Her favorite TV show was The Bionic Woman. Howard received her B.S. in engineering from Brown University in 1993 and her M.S. and Ph.D. in electrical engineering from the University of Southern California in 1994 and 1999, respectively. Her thesis, Recursive Learning for Deformable Object Manipulation, was advised by George A. Bekey. In addition, Howard's Doctoral thesis was triggered by the AIDS epidemic with focus on sorting hospital waste by using robots. Howard has also received an MBA from Claremont Graduate University. == Career == Howard's early interest in artificial intelligence led her to pursue a senior position at Seattle-based Axcelis Inc, where she helped develop Evolver, the first commercial genetic algorithm, and Brainsheet, a neural network developed in partnership with Microsoft. From 1993 to 2005, she worked at the NASA Jet Propulsion Laboratory, holding multiple roles such as senior robotics researcher and deputy manager in the Office of the Chief Scientist. In 2005, she joined Georgia Tech as an associate professor and founder of the Human-Automation Systems (Humans) lab. She has also served as the associate director of research for Georgia Tech's Institute for Robotics and Intelligent Machines and as chair of the multidisciplinary robotics Ph.D. program at Georgia Tech. In 2017, she became the chair of the School of Interactive Computing at Georgia Tech. In 2008, Howard received worldwide attention for her SnoMote robots, designed to study the impact of global warming on the Antarctic ice shelves. In 2013, she founded Zyrobotics, which has released their first suite of therapy and educational products for children with special needs. Howard has authored 250 publications in reputable journals and conferences, including serving as co-editor/co-author of more than a dozen books and book chapters. She has also received four patents and given over 140 invited talks and keynotes. She is a fellow of the Association for the Advancement of Artificial Intelligence (AAAI) and the Institute of Electrical and Electronics Engineers (IEEE). Among her many honors, Howard received the Computer Research Association's A. Nico Habermann Award and the Richard A. Tapia Achievement Award. In a 2020 interview on Marketplace, Howard outlined how companion robots could alleviate the effects of social distancing caused by the COVID-19 pandemic in the United States. On November 30, 2020, the Columbus Dispatch reported that Howard would become the next dean of the College of Engineering at Ohio State University on March 1, pending approval by the board of trustees. On March 1, 2021, she assumed this role, becoming the first woman to hold the position. In 2021, Howard received the Athena Lecturer Award from Association for Computing Machinery (ACM) for her Contributions to Robotics, AI and Broadening Participation in Computing. In June 2022, Howard was elected a trustee of Brown University. == Research == Howard's research interests include human-robot interaction, assistive/rehabilitation robotics, science-driven/field robotics, and perception, learning, and reasoning. Howard's research and published works span across various topics in robotics and AI, including intelligent learning, virtual reality for rehabilitation and robotics in the role of pediatric therapy. Her research is highlighted by her focus on technology development for intelligent agents that must interact with and in a human-centered world. Her work, which addresses issues of human-robot interaction, learning, and autonomous control, has resulted in more than 200 peer-reviewed publications. == Honors and awards == Howard's numerous accomplishments have been documented in more than a dozen featured articles. In 2003, she was named to the MIT Technology Review TR100 as one of the top 100 innovators in the world under the age of 35. She was featured in Time magazine's "Rise of the Machines" article in 2004. She was also featured in a USA Today Science & Space article. Some of Howard's notable awards include: Lew Allen Award for Excellence (formerly the Director's Research Achievement Award of the Jet Propulsion Laboratory) for significant technical contributions, 2001 MIT Technology Review Top 100 Young Innovators of the Year, 2003 NAE Gilbreth Lectureship, 2010 A. Richard Newton Educator ABIE Award, Anita Borg Institute, 2014 Computer Research Association's A. Nico Habermann Award, 2016 Brown Engineering Alumni Medal (BEAM), 2016 AAAS-Lemelson Invention Ambassador, 2016-2017 Atlanta magazine's Women Making a Mark, 2017 Walker's Legacy #WLPower25 Atlanta Award, 2017 Forbes America's Top 50 Women In Tech, 2018 ACM Athena Lecturer Award, 2021 2021 class of Fellows of the American Association for the Advancement of Science. IEEE Fellow, 2021, "for contributions to human-robot interaction systems" 2023 AAAI/EAAI Patrick Henry Winston Outstanding Educator Award
Internet Security Awareness Training
Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT). Even small and medium enterprises are generally recommended to provide such training, but organizations that need to comply with government regulations (e.g., the Gramm–Leach–Bliley Act, the Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Sarbanes–Oxley Act) normally require formal ISAT for annually for all employees. Often such training is provided in the form of online courses. ISAT, also referred to as Security Education, Training, and Awareness (SETA), organizations train and create awareness of information security management within their environment. It is beneficial to organizations when employees are well trained and feel empowered to take important actions to protect themselves and organizational data. The SETA program target must be based on user roles within organizations and for positions that expose the organizations to increased risk levels, specialized courses must be required. == Coverage == There are general topics to cover for the training, but it is necessary for each organization to have a coverage strategy based on its needs, as this will ensure the training is practical and captures critical topics relevant to the organization. As the threat landscape changes very frequently, organizations should continuously review their training programs to ensure relevance with current trends. Topics covered in ISAT include: Appropriate methods for protecting sensitive information on personal computer systems, including password policy Various computer security concerns, including spam, malware, phishing, social engineering, etc. Consequences of failure to properly protect information, including potential job loss, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal law penalties. Being Internet Security Aware means you understand that there are people actively trying to steal data that is stored within your organization's computers. (This often focuses on user names and passwords, so that criminal elements can ultimately get access to bank accounts and other high-value IT assets.) That is why it is important to protect the assets of the organization and stop that from happening. The general scope should include topics such as password security, Email phishing, Social engineering, Mobile device security, Sensitive data security, and Business communications. In contrast, those requiring specialized knowledge are usually required to take technical and in-depth training courses. Suppose an organization determines that it is best to use one of the available training tools on the market, it must ensure it sets objectives that the training can meet, including confirming the training will provide employees with the knowledge to understand risks and the behaviors needed in managing them, actions to take to prevent or detect security incidents, using language easily understandable by the trainees, and ensuring the pricing is reasonable. Organizations are recommended to base ISAT training content on employee roles and their culture; the policy should guide that training for all employees and gave the following as examples of sources of reference materials: National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program International Standards Organization (ISO) 27002:2013, Information technology—Security techniques—Code of practice for information security controls International Standards Organization (ISO) 27001:2013, Information technology — Security techniques — Information security management systems COBIT 5 Appendix F.2, Detailed Guidance: Services, Infrastructure and Applications Enabler, Security Awareness The training must focus on current threats specific to an organization and the impacts if that materializes as a result of user actions. Including practical examples and ways of dealing with scenarios help users know the appropriate measures to take. It is a good practice to periodically train customers of specific organizations on threats they face from people with malicious intentions. Coverage strategy for SAT should be driven by an organization's policy. It can help truly determine the level of depth of the training and where it should be conducted at a global level or business unit level, or a combination of both. A policy also empowers a responsible party within the organization to run the training. == Importance == Studies show that well-structured security awareness training can significantly reduce the likelihood of cyber incidents caused by human error. According to the Ponemon Institute, organizations that implement regular security training experience up to 70% fewer successful phishing attacks. Additionally, a 2023 Verizon Data Breach Investigations Report found that 74% of breaches involve the human element, highlighting the need for continuous education. Employees are key in whether organizations are breached or not; there must be a policy on creating awareness and training them on emerging threats and actions to take in safeguarding sensitive information and reporting any observed unusual activity within the corporate environment. Research has shown that SAT has helped reduce cyber-attacks within organizations, especially when it comes to phishing, as trainees learned to identify these attack modes and give them the self-assurance to take action appropriately. There is an increase in phishing attacks, and it has become increasingly important for people to understand how to these attacks work, and the actions required to prevent these and SAT has shown a significant impact on the number of successful phishing attacks against organizations. == Compliance Requirements == Various regulations and laws mandate SAT for organizations in specific industries, including the Gramm–Leach–Bliley Act (GLBA) for the financial services, the Federal Information Security Modernization Act of 2014 for federal agencies, and the European Union's General Data Protection Regulation (GDPR). === Federal Information Security Modernization Act === Employees and contractors in federal agencies are required to receive Security Awareness Training annually, and the program needs to address job-related information security risks linked that provide them with the knowledge to lessen security risks. === Health Insurance Portability and Accountability Act === The Health Insurance Portability and Accountability Act has the Security Rule, and Privacy Rule requiring the creation of a security awareness training program and ensuring employees are trained accordingly. === Payment Card Industry Data Security Standard === The Payment Card Industry Security Standards Council, the governing council for stakeholders in the payment industry, formed by American Express, Discover, JCB International, MasterCard, and Visa that developed the DSS as a requirement for the payment industry. Requirement 12.6 requires member organizations to institute a formal security awareness program. There is a published guide for organizations to adhere to when setting up the program. === US States Training Regulations === Some States mandate Security Awareness Training whiles other do not but simply recommend voluntary training. Among states that require the training for its employees include: Colorado (The Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.) Connecticut (13 FAM 301.1-1 Cyber Security Awareness Training (PS800)) Florida (Florida Statutes Chapter 282) Georgia (Executive Order GA E.O.182 mandated training within 90 days of issue) Illinois (Cook County) Indiana (IN H 1240) Louisiana (Louisiana Division of Administration, Office of Technology Services p. 52: LA H 633) Maryland (20-07 IT Security Policy) Montana (Mandatory cyber training for executive branch state employees) Nebraska Nevada (agency-by-agency state employee requirement - State Security Standard 123 – IT Security) New Hampshire New Jersey ( NJ A 1654) North Carolina Ohio (IT-15 - Security Awareness and Training) Pennsylvania Texas Utah Vermont Virginia West Virginia (WV Code Section 5A-6-4a) == Training Techniques == Below are some common training techniques, even though some can be blended depending on the operating environment: Interactive video training – This technique allows users to be trained using two-way interactive audio and video instruction. Web-based training – This method allows employees or users to take the training independently and usually has a testing component to determine if learning has taken place. If not, users can be allowed to retake the course and test to ensure there is a complete understanding
NFA minimization
In automata theory (a branch of theoretical computer science), NFA minimization is the task of transforming a given nondeterministic finite automaton (NFA) into an equivalent NFA that has a minimum number of states, transitions, or both. While efficient algorithms exist for DFA minimization, NFA minimization is PSPACE-complete. No efficient (polynomial time) algorithms are known, and under the standard assumption that P ≠ PSPACE, none exist. The most efficient known algorithm is the Kameda–Weiner algorithm. == Non-uniqueness of minimal NFA == Unlike deterministic finite automata, minimal NFAs may not be unique. There may be multiple NFAs with the same number of states that accept the same regular language, but for which there is no equivalent NFA or DFA with fewer states.