[Show abstract][Hide abstract] ABSTRACT: In this work we address the main issues of IT consumerisation that are related to security risks, and propose a 'soft' mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions.
CENTERIS 2014 - Conference on ENTERprise Information Systems, Troia, Lisbon, Portugal; 10/2014
[Show abstract][Hide abstract] ABSTRACT: Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that allows resesarchers and organisational stakeholders to work together to identify a set of nudges that might promote best behavioral practice. We describe the structured approach or framework, which we call SCENE, and follow this description with a worked example of how the approach has been utilised effectively in the development of a nudge to mitigate insecure behaviors around selection of wireless networks.
Third International Conference DUXU held at HCI International, Heraklion, Crete, Greece, June 22-27, 2014.; 06/2014
[Show abstract][Hide abstract] ABSTRACT: This paper considers the utility of employing behavioural nudges to change security-related behaviours. We examine the possibility that the effectiveness of nudges may depend on individual user characteristics – which represents a starting point for more personalized behaviour change in security. We asked participants to select from a menu of public wireless networks, using colour and menu order to ‘nudge’ participants towards making more secure choices. The preliminary results from 67 participants suggest that while nudging can be an effective tool to help non-experts to select more secure networks, certain user differences may also play a role. Lower (novice level) IT proficiency and diminished impulse control led to poorer security decisions. At the same time, we were able to demonstrate that our nudge effectively changed the behaviour of participants with poor impulse control. We discuss these implications and pose several questions for future research.
Paper presented at the “Personalizing Behavior Change Technologies” CHI Workshop,, Toronto, Canada, April 27, 2014.; 04/2014
[Show abstract][Hide abstract] ABSTRACT: Social media and online communication encourage social interaction but do little to strengthen community relations between people who live in the same area. The aim of this work is to develop a set of requirements, in this initial case from a group of older adults, for an online system aimed at increasing local face-to-face communication and enhancing community interaction. Eleven older adults took part in two discussion groups to develop this list of requirements. The results of these discussions are presented and come under six broad categories, these being: Security/Information, Social, Physical, Interface, Crime and Management. We also suggest additional requirements we think would benefit the system and future directions.
[Show abstract][Hide abstract] ABSTRACT: This paper systematically reviews previous studies of trust from social, economic and technological perspectives and develops a holistic framework for trust, which can be used to analyse the establishment and maintenance of trust in online transactions, and identify the mechanisms that can be used to increase trust. Trust plays a crucial role in the formation of dependent relationships represented by online transactions, and a holistic treatment of trust is necessary because of the gap that exists between the developments in information systems and our understanding of their social and economic implications, and the impact on the perceived trust of the transacting parties. This review enables us to depict an online transaction through its attributes and context, and systematically map these to identified trust antecedents. The key components and processes of the framework are outlined, and three strands of empirical work are discussed to develop it further. The framework highlights the critical role of institutions in the establishment and maintenance of trust in online transactions, which informs the development of e‐commerce and e‐business platforms and the underpinning information systems, and facilitates the establishment of mechanisms to induce additional institutions to increase trust in online transactions.
International Journal of Management Reviews 03/2012; · 3.58 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Does every organization need to reinvent the wheel when it comes to IT security? Not if the IT community can develop a formal knowledge base for sharing and applying IT security management knowledge. Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their organizations and information systems. The effectiveness of security controls must be balanced with a variety of operational issues, including the impact on employee productivity, legal and ethical stipulations, and business and financial concerns. IT security managers in different organizations face many of the same threats and establish similar solutions, and they're often gathering and applying the same knowledge. However, they're doing so largely on their own, which is clearly inefficient. We propose a formalized community project for sharing and applying IT security management knowledge. Here, we present our community knowledge-base prototype, designed to benefit IT security managers in a variety of organizations.
[Show abstract][Hide abstract] ABSTRACT: It is of critical business importance for organizations to keep confidential digital documents secure, as the potential cost and damage incurred from the loss of confidential digital documents have increased significantly in recent years. Digital Rights Management (DRM) was developed to help organizations keep digital documents secure, as one of many digital information security solutions.In this study, the functions of eight popular DRM products currently available on the market are reviewed, and the impact of using of these DRM products is evaluated quantitatively. A group of metrics is defined reflecting the potential costs and impact to the organization incurred by implementing DRM products. Stochastic models are used to quantitatively evaluate the costs and impact of implementing a particular DRM product. In this study, it is found that although DRM products protect digital assets by encryption and by providing central control on information within the organization, this comes at a cost, since these security mechanisms typically reduce the productivity of the staff. The reduction in productivity is in turn measured in the form of non-productive time (NPT) which is an inherent part of the stochastic modeling process.
Electronic Notes in Theoretical Computer Science - ENTCS. 01/2011; 275:159-174.
[Show abstract][Hide abstract] ABSTRACT: Many enterprises are currently exploring the po- tential cost benefits of running applications in public clouds. Enterprises often have global security policies to ensure that its information management conforms to business rules and legal mandates. The location of data storage and application execution therefore becomes a critical issue. The prevalence of Service Oriented Architectures (SOA) means that appli- cations are often composed from a set of services which form a workflow. The concept of running workflow instances on public cloud processing platforms is in its infancy. The scientific community still needs to define the security issues in public cloud workflow deployment and the requirements of possible solutions that will deal with those concerns. This paper aims to address this by exploring the current information security issues of public cloud workflow deployment within an enterprise setting and by identifying core requirements of solutions needed to deal with these challenges. We argue that enterprises would benefit from an automated and dynamic approach when selecting where to execute workflows and store data. This approach would choose what workflows, or subsets of workflows, can be executed in a public cloud environment while ensuring that enterprise security and compliance needs are met. Keywords-cloud computing; information security; workflow; dynamic decision making.
[Show abstract][Hide abstract] ABSTRACT: Service level agreement (SLA) specification languages are designed to express monitorable contracts between service providers and consumers. It is of interest to determine if predictive models can be derived for SLAs expressed in such languages, if possible in automated fashion. For this purpose, we study in this paper the mapping of the Web Service Level Agreement (WSLA) into reward metrics defined in the Stochastic Discrete Event Systems (SDES) formalism. We associate a formal semantics with WSLA elements and map these on SDES through a five step mapping process, which includes expressions for the metrics and functions on these metrics, the time at which to predict, and the ultimate service level compliance probability. We illustrate our approach through a stock quote web service example.
Computer Performance Engineering - 8th European Performance Engineering Workshop, EPEW 2011, Borrowdale, UK, October 12-13, 2011. Proceedings; 01/2011
[Show abstract][Hide abstract] ABSTRACT: In this paper we discuss the current state of our work regarding the development and planned in-situ testing of a computer-based system to enhance community relations through the Neighbourhood Watch scheme. The system is intended for use in a community to help the residents interact with each other more easily and to encourage the reporting of suspicious behaviour or crime. We discuss some details of the system and how we plan to test it in the field using an iterative process. We also discuss the possible implications of the work for the future.
International Conference on Computational Aspects of Social Networks, CASoN 2011, Salamanca, Spain, October 19-21, 2011; 01/2011
[Show abstract][Hide abstract] ABSTRACT: Web 2.0 applications allow individuals to manage their content online and to share it with other users and services on the Web. Such sharing requires access control to be put in place. Existing access control solutions, however, are unsatisfactory as they do not offer the functionality that users need in the open and user-driven Web environment. Additionally, such solutions are often custom-built and require substantial development effort, or use existing frameworks that provide benefits to developers only. New proposals such as User-Managed Access (UMA) show a promising solution to authorization for Web 2.0 applications. UMA puts the end user in charge of assigning access rights to Web resources. It allows users to share data more selectively using centralized authorization systems which make access decisions based on user instructions. In this paper, we present the UMA/j framework which implements the UMA protocol and allows users of Web applications to use their preferred authorization mechanisms. It also supports developers in building access control for their Web 2.0 applications by providing ready-to-use components that can be integrated with minimum effort.
[Show abstract][Hide abstract] ABSTRACT: Recent advances in the research of usable security have produced many new security mechanisms that improve usability. However, these mechanisms have not been widely adopted in practice. In most organisations, IT security managers decide on security policies and mechanisms, seemingly without considering usability. IT security managers consider risk reduction and the business impact of information security controls, but not the impact that controls have on users. Rather than trying to remind security managers of usability, we present a new paradigm -- a stealth approach which incorporates the impact of security controls on users' productivity and willingness to comply into business impact and risk reduction. During two 2-hour sessions, 3 IT security managers discussed with us mock-up tool prototypes that embody these principles, alongside a range of potential usage scenarios (e.g. cloud-based password-cracking attacks and "hot-desking" initiatives). Our tool design process elicits findings to help develop mechanisms to visualise these tradeoffs.
[Show abstract][Hide abstract] ABSTRACT: Although adaptivity, the ability to adapt, is an important property of complex computing systems, so far little thought has been given to its evaluation. In this paper we propose a framework and methodology for the definition of benefit-based adaptivity metrics. The metrics thus defined allow an informed choice between systems based on their adaptivity to be made. We demonstrate application of the framework in a case study of restart strategies for Web Services Reliable Messaging. Additionally, we provide a broad survey of related approaches that may be used in the study of adaptivity (comprising, among others, robustness, performability, and control analysis), and evaluate their respective merits in relation to the proposed adaptivity metric.
[Show abstract][Hide abstract] ABSTRACT: The rapidly developing Web environment provides users with a wide set of rich services as varied and complex as desktop applications. Those services are collectively referred to as ``Web 2.0'', with examples such as Google Docs, Flickr, or Wordpress, that allow users to create, manage and share their content online. By switching from desktop applications to their cloud-based Web equivalents users release even more data online. It is the user who creates this data, who disseminates it and who shares it with other users and services. Storing and sharing resources on the Web poses new security challenges. Access control, in particular, is currently poorly addressed in such an environment and is not well suited to the increasing number of resources that are available online. We propose a new approach to access control for the Web. Our approach puts a user in full control of assigning access rights to their resources which may be spread across multiple cloud-based Web applications. Unlike existing authorization systems, it relies on a user's centrally located security requirements for these resources.
Distributed Computing Systems Workshops (ICDCSW), 2010 IEEE 30th International Conference on; 07/2010
[Show abstract][Hide abstract] ABSTRACT: Web 2.0 technologies have made it possible to migrate traditional desktop applications to the Web, resulting in a rich and dynamic user experience and in expanded functionality. Individuals can create and manage their content online, and they are not only consumers of Web services, but also active participants on the Web platform. As a result, potentially large amounts of personal, sensitive, and valuable data is put online, spread across various Web services. Users sometimes share this data with other users and services on the Web, but are also concerned about maintaining privacy and sharing their data securely. Currently, users must use diverse access control solutions available for each Web service to secure data and control its dissemination. When such mechanisms are used on a daily basis, they add considerable overhead, especially since these mechanisms often lack sophistication with respect to functionality as well as user interfaces. To alleviate this problem, we discuss a novel approach to access management for Web resources that includes a user as a core part of its model. The proposal puts the user in charge of assigning access rights to resources that may be hosted at various Web applications. It facilitates the ability of users to share data more selectively using a centralized authorization manager which makes access decisions based on user instructions.
Proceedings of the 6th Workshop on Digital Identity Management, Chicago, Illinois, USA, October 8, 2010; 01/2010
[Show abstract][Hide abstract] ABSTRACT: This paper explores the need for a collaborative development tool to allow information security experts to capture their interrelated knowledge in an ontology. Such a tool would enable organisations to make more informed security policy decisions around shared security issues. However, population of ontologies can be time-consuming and error-prone, and current collaborative ontology editing tools require a familiarity with ontology concepts. We present a Web-oriented tool which simplifies ontology population for information security experts, allowing them to develop ontology content without the need to understand ontology concepts. To understand how organisations manage information security knowledge within policies, we consulted two information security managers in large organisations. The Web-Protégé collaborative ontology editor was then modified to create a tool with an appropriate knowledge ontology structure that meets their requirements. The same information security managers then evaluated the tool, judging it to be accessible and potentially useful in policy decision-making.
Proceedings of the 4th ACM Symposium on Computer Human Interaction for Management of Information Technology, CHIMIT 2010, San Jose, CA, USA, November 12-13, 2010; 01/2010
[Show abstract][Hide abstract] ABSTRACT: Uncertainty is an inherent property of open, distributed and multiparty systems. The viability of the mutually beneficial
relationships which motivate these systems relies on rational decision-making by each constituent party under uncertainty.
Service provision in distributed systems is one such relationship. Uncertainty is experienced by the service provider in his
ability to deliver a service with selected quality level guarantees due to inherent non-determinism, such as load fluctuations
and hardware failures. Statistical estimators utilized to model this non-determinism introduce additional uncertainty through
sampling error. Inability of the provider to accurately model and analyze uncertainty in the quality level guarantees can
result in the formation of sub-optimal service provision contracts. Emblematic consequences include loss of revenue, inefficient
resource utilization and erosion of reputation and consumer trust. We propose a utility model for contract-based service provision
to provide a systematic approach to optimal service provision contract formation under uncertainty. Performance prediction
methods to enable the derivation of statistical estimators for quality level are introduced, with analysis of their resultant
accuracy and cost.
Mathematics Subject Classification (2000)Primary 91A40-68M14-68T99-Secondary 91A10
KeywordsGrid computing-virtual organization-self organization-cooperative game theory
[Show abstract][Hide abstract] ABSTRACT: The majority of modern-day companies store commercially sensitive and valuable information assets in digital form. It is essential for the Chief Information Security Officer (CISO) within an organisation to ensure that such information is adequately protected. External standards exist to advise CISOs on how to secure infor- mation, but these are essentially "one-size-fits-all". Furthermore they do not consider the human-behavioural aspects that determine the impact of security controls upon employees, or how security controls can be best deployed to manage insecure employee behaviour. CISOs require more information than they are currently provided with to justify their information security management decisions. Here we present a knowledge base and accompanying user interface. The knowledge base represents key struc- tural components of the ISO27002 security standard, formally relating them to one another. This empowers CISOs to understand how different security measures impact upon each other. It also considers how human- behavioural factors can be associated with these concepts. The accompanying user interface provides a means to present formalised information security concepts to CISOs. This paper describes the development of the knowledge base and user interface, highlighting and discussing key challenges and how they were resolved.
ICSOFT 2009 - Proceedings of the 4th International Conference on Software and Data Technologies, Volume 2, Sofia, Bulgaria, July 26-29, 2009; 01/2009