Inger Anne Tøndel

Norwegian University of Science and Technology, Nidaros, Sør-Trøndelag, Norway

Are you Inger Anne Tøndel?

Claim your profile

Publications (33)3.82 Total impact

  • Martin Gilje Jaatun · Inger Anne Tøndel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: See for author version. Outsourcing computing and storage to the cloud does not eliminate the need for handling of information security incidents. However, the long provider chains and unclear responsibilities in the cloud make incident response difficult. In this paper we present results from interviews in critical infrastructure organisations that highlight incident handling needs that would apply to cloud customers, and suggest mechanisms that facilitate inter-provider collaboration in handling of incidents in the cloud, improving the accountability of the cloud service providers.
    ARES 2015, Toulouse; 08/2015
  • I.A. Tøndel · M.B. Line · G. Johansen ·
    [Show abstract] [Hide abstract]
    ABSTRACT: A rich selection of methods for information security risk assessments exist, but few studies evaluate how such methods are used, their perceived ease-of-use, and whether additional support is needed. Distribution system operators (DSOs) find it difficult to perform information security risk assessments of Advanced Metering Infrastructure (AMI). We have performed a case study in order to identify these difficulties and the reasons for them. Our findings indicate that the risk assessment method in itself is not the main challenge. The difficulties regard competence; more specifically, insight in possible information security threats and vulnerabilities, being able to foresee consequences, and making educated guesses about probability. Improved guidelines can be a valuable aid, but including information security experts as participants in the process is even more important.
  • Inger Anne Tøndel · Maria B. Line · Martin Gilje Jaatun ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper reports results of a systematic literature review on current practice and experiences with incident management, covering a wide variety of organisations. Identified practices are summarised according to the incident management phases of ISO/IEC 27035. The study shows that current practice and experience seem to be in line with the standard. We identify some inspirational examples that will be useful for organisations looking to improve their practices, and highlight which recommended practices generally are challenging to follow. We provide suggestions for addressing the challenges, and present identified research needs within information security incident management.
    Computers & Security 09/2014; DOI:10.1016/j.cose.2014.05.003 · 1.03 Impact Factor
  • Maria B. Line · Inger Anne Tondel · Martin G. Jaatun ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper reports on an interview study on information security incident management that has been conducted in organizations operating industrial control systems that are highly dependent on conventional IT systems. Six distribution service operators from the power industry have participated in the study. We have investigated current practice regarding planning and preparation activities for incident management, and identified similarities and differences between the two traditions of conventional IT systems and industrial control systems. The findings show that there are differences between the IT and ICS disciplines in how they perceive an information security incident and how they plan and prepare for responding to such. The completeness of documented plans and procedures for incident management varies. Where documentation exists, this is in general not well-established throughout the organization. Training exercises with specific focus on information security are rarely performed. There is a need to create amore unified approach to information security incident management in order for the power industry to be sufficiently prepared to meet the challenges posed by Smart Grids in the near future.
    2014 Eighth International Conference on IT Security Incident Management & IT Forensics (IMF); 05/2014
  • Karin Bernsmed · I.A. Tøndel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents a method for evaluating an organization's ability to manage security incidents. The method is based on resilient thinking, and describes how to identify, select and implement early-warning indicators for information security incident management.
    IT Security Incident Management and IT Forensics (IMF), 2013 Seventh International Conference on; 01/2013
  • Karin Bernsmed · I.A. Tondel · A.A. Nyre ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents Privacy Advisor; a software which uses machine-learning techniques to help the users make online privacy decisions. Privacy Advisor is based on Case Based Reasoning (CBR), which relies on the ability to identify similar situations from the past and use these to provide recommendations in new situations. This paper focuses on the algorithms necessary to calculate the similarity of privacy policies. In addition, we provide results from a focus group study on the perceived similarity of data items and data handling purposes from a privacy point of view.
    Availability, Reliability and Security (ARES), 2012 Seventh International Conference on; 01/2012
  • Inger Anne Tøndel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents a solution for visualization control aimed at public displays used in a hospital setting. The solution controls what is displayed on a screen based on its location and the current time of day. In addition it makes risk/benefit trade-offs based on the quality and newness of the information, as well as its sensitivity and its importance for intended users. The solution can be realized by utilizing an existing publish/subscribe middleware solution.
    Proceedings of the 16th Nordic conference on Information Security Technology for Applications; 10/2011
  • I.A. Tondel · A.A. Nyre · K. Bernsmed ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper suggests a machine learning approach to preference generation in the context of privacy agents. With this solution, users are relieved from the complex task of specifying their preferences beforehand, disconnected from actual situations. Instead, historical privacy decisions are used as a basis for providing privacy recommendations to users in new situations. The solution also takes into account the reasons why users act as they do, and allows users to benefit from information on the privacy trade-offs made by others.
    Availability, Reliability and Security (ARES), 2011 Sixth International Conference on; 09/2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: Large wall-mounted screens placed at locations where health personnel pass by will assist in self-coordination and improve utilisation of both resources and staff at hospitals. The sensitivity level of the information visible on these screens must be adapted to a close-to-public setting, as passers-by may not have the right or need to know anything about patients being treated. We have conducted six informal interviews with health personnel in order to map what kind of information they use when identifying their patients and their next tasks. We have compared their practice and needs to legislative requirements and conclude that it is difficult, if not impossible, to fulfil all requirements from all parties.
    Studies in health technology and informatics 01/2011; 169:606-10.
  • Maria B. Line · Inger Anne Tøndel · Erlend Andreas Gjære ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper focuses on access control approaches usable for information sharing through large screens where several individuals are present at the same time. Access control in this setting is quite different from traditional systems where a user logs on to the system. The paper outlines a number of possible approaches to access control, and evaluates them based on criteria derived from risk analyses of a planned coordination system for the perioperative hospital environment. It concludes that future work should focus on extending the location-based approach with situation awareness, and add support for using pop-ups or handheld devices for sharing of the most sensitive information.
    International Conference on Multidisciplinary Research and Practice for Business, Enterprise and Health Information Systems - MURPBES 2011 / Availability, Reliability and Security for Business, Enterprise and Health Information Systems - IFIP WG 8.4/8.9 International Cross Domain Conference and Workshop, ARES 2011, Vienna, Austria, August 22-26, 2011. Proceedings; 01/2011
  • Inger Anne Tøndel · Åsmund Ahlmann Nyre ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Current approaches to privacy policy comparison use strict evaluation criteria (e.g. user preferences) and are unable to state how close a given policy is to fulfil these criteria. More flexible approaches for policy comparison is a prerequisite for a number of more advanced privacy services, e.g. improved privacy-enhanced search engines and automatic learning of privacy preferences. This paper describes the challenges related to policy comparison, and outlines what solutions are needed in order to meet these challenges in the context of preference learning privacy agents.
    Open Problems in Network Security - IFIP WG 11.4 International Workshop, iNetSec 2011, Lucerne, Switzerland, June 9, 2011, Revised Selected Papers; 01/2011
  • Maria B. Line · Inger Anne Tondel · Martin G. Jaatun ·
    [Show abstract] [Hide abstract]
    ABSTRACT: The introduction of telecommunication in the energy grid, leading the way towards Smart Grids, challenges the way safe operations have traditionally been assured in the energy sector. New cyber security challenges emerge, especially related to privacy, connectivity and security management, and these need to be properly addressed. Existing cyber security technology and good practice mainly come from the traditional telecommunication environment where the requirements on safety and availability are less strict. For Smart Grids, lessons can be learned from the oil and gas industry on how they have dealt with security challenges in their implementation of integrated operations. Still, Smart Grids face a slightly different reality, due to their extensive geographical distribution and the enormous number of end-users. The contribution of this paper is a survey of cyber security challenges for Smart Grids, together with a roadmap of how these challenges must be addressed in the near future.
  • Jostein Jensen · Inger Anne Tøndel · Per Håkon Meland ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents an experiment on the reusability of threat models, specifically misuse case diagrams. The objective was to investigate the produced and perceived differences when modelling with or without the aid of existing models. 30 participants worked with two case studies using a Latin-squares experimental design. Results show that reuse is the preferred alternative. However, the existing models must be of high quality, otherwise a security risk would arise due to false confidence. Also, reuse of misuse case diagrams is perceived to improve the quality of the new models as well as improve productivity compared to modelling from scratch.
    Information and Communications Security - 12th International Conference, ICICS 2010, Barcelona, Spain, December 15-17, 2010. Proceedings; 12/2010
  • Per Håkon Meland · Inger Anne Tøndel · Jostein Jensen ·
    [Show abstract] [Hide abstract]
    ABSTRACT: To support software developers in addressing security, we encourage to take advantage of reusable threat models for knowledge sharing and to achieve a general increase in efficiency and quality. This paper presents a controlled experiment with a qualitative evaluation of two approaches supporting threat modelling - reuse of categorised misuse case stubs and reuse of full misuse case diagrams. In both approaches, misuse case threats were coupled with attack trees to give more insight on the attack techniques and how to mitigate them through security use cases. Seven professional software developers from two European software companies took part in the experiment. Participants were able to identify threats and mitigations they would not have identified otherwise. They also reported that both approaches were easy to learn, seemed to improve productivity and that using them were likely to improve their own skills and confidence in the results.
    Engineering Secure Software and Systems, Second International Symposium, ESSoS 2010, Pisa, Italy, February 3-4, 2010. Proceedings; 02/2010
  • Inger Anne Tøndel · Jostein Jensen · Lillian Røstad ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Misuse cases and attack trees have been suggested for security requirements elicitation and threat modeling in software projects. Their use is believed to increase security awareness throughout the software development life cycle. Experiments have identified strengths and weaknesses of both model types. In this paper we present how misuse cases and attack trees can be linked to get a high-level view of the threats towards a system through misuse case diagrams and a more detailed view on each threat through attack trees. Further, we introduce links to security activity descriptions in the form of UML activity graphs. These can be used to describe mitigating security activities for each identified threat. The linking of different models makes most sense when security modeling is supported by tools, and we present the concept of a security repository that is being built to store models and relations such as those presented in this paper.
    ARES 2010, Fifth International Conference on Availability, Reliability and Security, 15-18 February 2010, Krakow, Poland; 01/2010
  • A.A. Nyre · M.G. Jaatun · I.A. Tondel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Emergency and rescue operations are often carried out in areas where the network infrastructure cannot be relied on for message exchange between first responders. Since the fundamental feature of Mobile Ad Hoc Network is the ability to operate independently of existing infrastructure, it is deemed a well suited solution to first responders scenarios. In this paper we describe a security extension to the OLSR routing protocol specifically designed for first responders scenarios. Our proposed protocol provides node authentication and access control using asymmetric encryption and digital certificates. A link encryption scheme is devised to allow for efficient encryption of data even in broadcast mode, without the need for a network wide shared key. By utilising pairwise symmetric keys for link confidentiality, our solution is both efficient and scalable.
    Security and Communication Networks (IWSCN), 2009 Proceedings of the 1st International Workshop on; 06/2009
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Incident response is the process of responding to and handling security-related incidents involving information and communications technology (ICT) infrastructure and data. Incident response has traditionally been reactive in nature, focusing mainly on technical issues. This paper presents the Incident Response Management (IRMA) method, which combines traditional incident response with proactive learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the petroleum industry, but it is also applicable to other industries that rely on process control systems.
    International Journal of Critical Infrastructure Protection 05/2009; 2(1):26-37. DOI:10.1016/j.ijcip.2009.02.004 · 1.00 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Since operating room departments are among the costliest resources at a hospital, much attention is devoted to maximize their utilization. Operating room activities are however notoriously hard to plan in advance. This has to do with the unpredictable, problem-solving nature of the work and that the work is carried out by a multidisciplinary team of health personnel, members of which also have commitments outside the operating room department. We assume that operating room teams have the capacity to coordinate themselves and that coordination might be facilitated by visualizing relevant information on wall-mounted boards. To characterize clinical situations that require coordination and re-planning of the teams' work, we have developed a realistic scenario. We analyse and discuss the information security challenges that follow from displaying information on the whereabouts of other teams, actors and patients on wall-mounted boards in the operating rooms. Information security threats could be mitigated by de-identification techniques. Information demands could thereby be met without sacrificing the privacy of those whose information is displayed.
    Studies in health technology and informatics 02/2009; 150:715-9. DOI:10.3233/978-1-60750-044-5-715
  • [Show abstract] [Hide abstract]
    ABSTRACT: Healthcare information systems are currently being migrated from paper based journals to fully digitalised information platforms. Protecting patient privacy is thus becoming an increasingly complex task, where several national and international legal requirements must be met. These legal requirements present only high-level goals for privacy protection, leaving the details of security requirements engineering to the developers of electronic healthcare systems. Our objective has been to map legal requirements for sensitive personal information to a set of reusable technical information security requirements. This paper presents examples of such requirements extracted from legislation applicable to the healthcare domain.
    Proceedings of the The Forth International Conference on Availability, Reliability and Security, ARES 2009, March 16-19, 2009, Fukuoka, Japan; 01/2009
  • I.A. Tondel · M.G. Jaatun · A.A. Nyre ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Ad hoc networks for first responders in emergency situations have some unique characteristics that differ from general ad hoc networks, since it is desirable to restrict who can participate in the network without relying on a predeployed infrastructure. In this paper we present security requirements elicited for a first responder mobile ad hoc network in the OASIS project. The requirements have been identified in a structured manner, based on identification of objectives, assets and threats towards these assets.
    Security and Communication Networks (IWSCN), 2009 Proceedings of the 1st International Workshop on; 01/2009