About
130
Publications
13,027
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,343
Citations
Introduction
Current institution
Additional affiliations
January 2003 - September 2013
Publications
Publications (130)
In the forthcoming era of quantum computing, revisions will be forced on secure communication. Modern public-key communication systems are vulnerable to attacks by quantum computers. Fortunately, there already exists quantum-safe encryption algorithms and quantum-based solutions. The US National Institute of Standards and Technology has published t...
With society's increased dependence on information communication systems, the need for dependable, trustable, robust, and secure adaptive systems becomes ever more acute. Modern autonomic message-oriented middleware platforms have stringent requirements for self-healing, adapting, evolving, fault-tolerance, security, and active vulnerability assess...
Cybersecurity is a rapidly growing field, both with respect to its significance for the societies, and in terms of business activities. Consequently, the demand for cybersecurity expertise is huge, posing remarkable challenges for cybersecurity competence and skills development. We analyze the current level of national cybersecurity competence in t...
Securing the growing amount of IoT devices is a challenge for both the end-users bringing IoT devices into their homes, as well as the corporates and industries exposing these devices into the Internet as part of their service or operations. The exposure of these devices, often poorly configured and secured, offers malicious actors an easy access t...
The threat of DDOS and other cyberattacks has increased during the last decade. In addition to the radical increase in the number of attacks, they are also becoming more sophisticated with the targets ranging from ordinary users to service providers and even critical infrastructure. According to some resources, the sophistication of attacks is incr...
This study examines the current status and future projections of cyber security competence in Finland.
Cyber security competence refers to research, development and innovations relating to cyber security.
The report analyses the cyber security research of Finnish businesses, universities and research institutions,
cyber security education, innovati...
Operational security assurance of a networked system requires providing constant and up-to-date evidence of its operational state. In a cloud-based environment we deploy our services as virtual guests running on external hosts. As this environment is not under our full control, we have to find ways to provide assurance that the security information...
Self-adaptive security is needed due to vast amount of changes in an execution environment and threat landscape, which all cannot be anticipated at software design-time. Self-adaptive security requires means for monitoring a security level and decision making capability to improve the current security level. In this paper, we describe how security...
Security in Android smartphone platforms deployed in public safety and security mobile networks is a remarkable challenge. We analyse the security objectives and controls for these systems based on an industrial risk analysis. The target system of the investigation is an Android platform utilized for public safety and security mobile network. We an...
Recently, various applications applying ubiquitous computing have appeared. For instance, health applications have benefited from information and services, which are available from various sensors and medical devices in the surrounding environment. These applications utilize different wireless communication technologies in order to achieve a good c...
In this paper it is considered Internet of Things with large number of nodes via example applications in house automation, smart grid, environmental, automotive, smart traffic, and eHealth areas. The aim of this paper is to present security analysis and metrics development model for a Wireless Sensor Networks (WSN) - Mobile Cellular Network (MCN) b...
Emerging E-health applications utilizing IoT (Internet of Things) solutions should be sufficiently secure and robust. Adaptive security management techniques enable maintenance of sufficient security level during changing context, threats and usage scenarios. Systematic adaptive security management is based on security metrics. We analyze security...
Quantification of information security can be used to obtain evidence to support decision-making about the security performance of software systems. Knowledge about the relational importance of the main quality criteria of security metrics can help build security metrology models based on practical needs. This paper presents the results of a quanti...
Security for Android smartphone platforms is a challenge arising in part from their openness. We analyse the security objectives of two distinct envisioned public safety and security mobile network systems utilising the Android platform. The analysis is based on an industrial risk analysis activity. In addition, we propose initial heuristics for se...
To many of us, the Internet of Things (IoT) is still an emerging concept. To cast a clear light on this new landmark in technology, in this edition of Visions our multidisciplinary team of experts shares its latest insights on the IoT and on its implications for productivity. Tomorrow, the Internet of Things will be a seamless part of everyday life...
Assurance is commonly considered as “something said or done to inspire confidence” (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verificatio...
The Internet of Things (IoT) is assumed to be an integrated part of Future Internet. IoT can be regarded as an extension of the existing interaction between humans and applications through the new dimension of “Things” communication and integration. IoT networks in the scale of million nodes are possible even today but managing the nodes and inform...
Security is a major concern in the emergence of new digital ecosystems. We propose an initial metrics-driven framework to manage security in IoT (Internet of Things) E-Health applications. The framework enables informed self-care of chronic diseases such as diabetes, COPD and arthritis. The approach consists of security domain classification, secur...
Large amounts of business-critical data are transferred, processed and stored in cloud services, raising concerns about their security level. Adequate security management of cloud services is vital to their success. Systematically developed and maintained security metrics can be used to offer evidence of the security effectiveness of cloud services...
Systematically managed, sufficient and credible security metrics increase the understanding of the security effectiveness level of software-intensive systems during the system development and operation. Risk-driven top-down modeling enables systematic and meaningful security metrics development. We propose six strategies for security measurement ob...
E-health applications utilizing IoT (Internet of Things) technologies hold a significant promise: biomedical sensor networks and the appropriate interpretation of the data originating from them enable better self-care of chronic diseases, and thus are potential to imply remarkable savings in national healthcare budgets. However, security is a major...
The need for effective and efficient information security solutions is steadily increasing in the software industry. Software and system developers require practical and systematic approaches to obtain sufficient and credible evidence of the security level in the system under development in order to guide their efforts and ensure the efficient use...
Sufficient and credible information security measurement in software-intensive systems requires use of a variety of security metrics offering security-related evidence from different viewpoints. Visualization is needed to facilitate management of security metrics and measurements and to increase the meaningfulness of them in decision-making such as...
Measuring and evaluating cyber security is of primary importance in IT systems. The fundamental need to assess security choices validity and effectiveness is growing. One of the main accepted approaches to this problem is a standardized offline security assurance evaluation. But, this method is static, time consuming and does not scale well to comp...
This paper discusses several relevant aspects of performing monitoring in the context of software-intensive systems. The focus is especially on cases where the observed system is distributed, and the monitoring system needs to be secure, dependable and capable of adapting to a number of dynamic scenarios during the system evolution. Based on the an...
This paper presents an empirical analysis of security and user experience issues in cloud computing. The study is based on the assumption that superior user experience and user-centric security are the two crucial issues that help to build an overall experience for the cloud service user. Qualitative research analysis is used to collect perspective...
Measuring security is a complex task and requires a great deal of knowledge. Managing this knowledge and presenting it in a universal way is challenging. This paper describes the Information Security Measuring Ontology (ISMO) for measuring information security. The ontology combines existing measuring and security ontologies and instantiates it thr...
Today large amounts of security and privacy-critical data are transferred, processed and stored in external cloud services. However, with many offerings, you need to be either an ignoramus or a daredevil to surrender such data. For the cautious, trustworthy, sufficient and credible evidence of the actual security, privacy and trust level is a prere...
Proceedings - 2nd IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2010. Indianapolis, IN, 30 Nov. - 3 Dec. 2010, 712 - 720 The cloud services are on everybody’s lips, but what is the standpoint of those needing to consider the implications of serious involvement? What trust related aspects the experts deem notewort...
Systematic and practical approaches to risk-driven operational security evidence help ensure the effectiveness and efficiency of security controls in business-critical applications and services. This paper introduces an enhanced methodology to develop security effectiveness metrics that can be used in connection with correctness assurance of securi...
AIP Conference Proceedings Vol.1281, 291 - 294 Distributed business-critical systems are often implemented using distributed messaging infrastructures with increasingly stringent requirements with regard to resilience, security, adaptability, intelligence and scalability. Current systems have limited ability in meeting these requirements. This pape...
Measurement of any complex, operational system is challenging due to the continuous independent evolution of the components. Security risks introduce another dimension of dynamicity, reflected to risk management and security assurance activities. The availability of different measurements and their properties will vary during the overall system lif...
Proceedings of the Fourth European Conference on Software Architecture: Companion, 197 - 204
Proceedings of the Fourth European Conference on Software Architecture: Companion, 151 - 154
Proceedings of the 2010 IEEE Second International Conference on Social Computing (SocialCom 2010). the Second IEEE International Conference on Privacy, Security, Risk and Trust (PASSAT 2010). Minneapolis, MN, USA, 20-22 Aug. 2010, 1086-1092 Large amounts of privacy-critical data are transferred, processed and stored in services like cloud computing...
Fifth European Conference on Model-driven Architecture Foundations and Applications, Enchede, 23 - 26 Jun. 2009, 33 - 41 In this paper we take the first steps from security modelling to run-time security monitoring. Providing full support for run-time security monitoring requires that following issues are solved: security concepts has to be defined...
Increasing requirements for the resilience, security, adaptation, intelligence and scalability of complex business critical systems have set new challenges for system developers and application designers. Messaging infrastructures are often used to implement systems of this type. We provide an overview of the main advances in the adaptive security,...
This paper discusses different aspects of performing monitoring in the context of software intensive systems. The focus is especially on cases where the observed system is distributed, and the monitoring system needs to be secure, dependable and capable to adapt to a number of dynamic scenarios during the system evolution. Based on analysis of moni...
Proceedings of the 4th International Conference on Emerging Security Information, Systems and Technologies. SECURWARE 2010. Venice/Mestre, 18 - 25 jul. 2010, 25 - 34
Proceedings of the 2010 International Conference on Distributed Computing Systems Workshops. IDCSW 2010. Genoa, 21 - 25 jun. 2010, 288 - 289 The 2nd Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing Systems. RDCS 2010
The Second Future Internet Symposium washeld during September 1-3, 2009 in Berlin, Germany. FIS 2009 provided a forum for leading researchers and pr- titioners to meet and discuss the wide-ranging scienti?c and technical issues related to the design of a new Internet. This second edition of the symposium con?rmed the sentiment shared during the Fir...
International Journal of Computer Science and Network Security Vol.10 Nr.1, 230 - 239 Security measurement of software-intensive systems is an emerging field, rapidly gaining momentum. Well-designed security metrics offer credible and sufficient evidence of security level and performance for security decision-making. In this study, we introduce a n...
![Figure 2. Threat exposure and impact dimensions [1].](profile/Habtamu-Abie/publication/42319427/figure/fig2/AS:669508591161361@1536634695918/Threat-exposure-and-impact-dimensions-1_Q320.jpg)
International Journal on Advances in Security Vol.2 Nr.4, 358 - 380
International Journal on Advances in Security Vol.3 Nr.1/2, 34 - 51
Proceedings of the Fourth European Conference on Software Architecture: Companion, 189 - 196
Proceedings of the 2010 Information Security for South Africa. ISSA 2010 Conference, Sandton, 2 - 4 aug. 2010, 8 p
We introduce a novel high-level security metrics objective taxonomization model for software- intensive systems. The model systematizes and organizes security metrics development activities. It focuses on the security level and security performance of technical systems while taking into account the alignment of metrics objectives with different bus...
Carefully designed security metrics of practical relevance can be used to provide evidence of the security behavior of the system under development or operation. This study investigates a practical development of security metrics for a distributed messaging system based on threat and vulnerability analysis and security requirements. Our approach is...
Current business critical systems have stringent requirements for the significant and measurable increase in the end-to-end intelligence, security, scalability, self-adaptation and resilience. Existing state of the art messaging systems achieve arbitrary resilience by a brute-force approach. Self-healing is either rudimentary or non-existent. In th...
We propose an integrated security measurement architecture and framework for a dynamic self-organizing monitoring system based on mobile ad hoc networks (MANETs), structured according to currently known security challenges. The aim is to predict, as well as to monitor, the security performance, concentrating on the principal effects contributing to...
Inherent freedom due to lack of central authority in self-organized mobile ad hoc networks introduces challenges to security and trust management. Arguably, trust management is the most critical security issue in mobile ad hoc networks. If nodes do not have any prior knowledge of each other, the trust establishment becomes complicated. In this kind...
Communications in Computer and Information Science (CCIS) 36 Proceedings of the 3rd International Conference on Advances in Information Security and Its Application (ISA 2009). June 25-27, 2009, Seoul, Korea., 11 - 16 It is a widely accepted management principle that an activity cannot be managed well if it cannot be measured. Carefully designed se...
Proceedings of the 2nd International Conference on Dependability (DEPEND 2009). June 18-23, 2009, Athens/Glyfada, Greece., 7 - 12 We discuss the near-term and far-term security, trust and dependability challenges in wireless and mobile telecommunications, in an always-connected environment. We identify some relevant technological and threat trends...
In order to obtain evidence about the security strength or performance in software products and telecommunication systems we need automated information security analysis, validation, evaluation and testing approaches. Unfortunately, no widely accepted practical approaches are available. Information security testing of software-intensive and telecom...
Rouhiainen, Veikko (ed.), Scientific activities in Safety & Security 2009, 14-15
Tenth International Conference on Mobile Data Management: Systems, Services and Middleware (MDM 2009). Taipei, Taiwan, 18-20 May 2009., 449 - 458 Self-organization introduces major challenges to security and trust management in mobile ad hoc networks. In addition, security threats and vulnerabilities include lack of proper authentication, insecure...
Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2009). June 18-23, 2009, Athens/Glyfada, Greece., 121 - 128 The lack of appropriate information security solutions in software-intensive systems can have serious consequences for businesses and the stakeholders. Carefully designed s...
Proceeedings of the Information Security South Africa 2009 (ISSA 2009) Conference. July 6-8, 2009, Johannesburg, South Africa., 69 - 80 Appropriate information security solutions for software-intensive systems, together with evidence of their security performance help to prevent serious consequences for businesses and the stakeholders. Security met...
Proceedings of the 4th International Conference on Software and Data Technologies 2009 (ICSOFT 2009). Volume 2. July 26-29, 2009, Sofia, Bulgaria., 129 - 134 At present, the security critical operations of terminal devices are often being executed in the operating system, which may include security vulnerabilities due to implementation faults, for...
Proceedings of the 4th International Conference on Software and Data Technologies 2009 (ICSOFT 2009). Volume 2. July 26-29, 2009, Sofia, Bulgaria., 171 - 174 Systematically and carefully designed information security metrics can be used to provide evidence of the security solutions of the system under development. The lack of appropriate security s...
Proceedings - 2009 3rd International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2009. Athens/Glyfada, Greece, 18 - 23 June 2009 Nr.Article number 5210980, x - xi
2009 International Conference on Application of Information and Communication Technologies, AICT 2009. Baku, Azerbaijan, 14 - 16 Oct. 2009
GEMOM (Genetic Message Oriented Secure Middleware) is an EU FP7 ICT project that focuses on the significant and measurable increase in the end-to-end intelligence, security and resilience of complex, distributed information systems. Complex, distributed software systems are virtually impossible to implement without heavy use of messaging infrastruc...
A holistic and semi-automatic framework for estimation of the overall security, privacy and trust (SPT) level could be used to answering to the challenges of the usage of mobile ad hoc networks in the Ubiquitous Computing Age. We propose our ideas for composing this framework, structured according to currently known security, privacy and trust chal...
The current Internet architecture curls around an original conversational model developed in the 1970's. New solutions were for a long-time built on that framework. However, the current architecture is not able to meet optimally challenges posed by new access technologies, applications and services
any more. In this paper, the purpose is to bring a...
Systematic approaches to measuring security are needed in order to obtain evidence of the security performance of products or an organization. In this study we survey the emerging security metrics approaches from the academic, governmental and industrial perspectives and aim to bridge the gap between information security management and Information...
Pervasive communications and the rapid expansion of Internet trigger a myriad of concerns about trust and information security. Moreover, composing software from components and services, originating from diverse sources, without a thorough quality assurance practices may expose serious weaknesses that open up the systems for malicious attacks and m...
To obtain evidence of the security of different products or organizations, systematic approaches to measuring security are needed. We introduce a high abstraction level taxonomy to support the development of feasible security metrics, along with a survey of the emerging security metrics from the academic, governmental and industrial perspectives. W...
Information security demands are increasing in nowadays complex and networked information technology environment. Systematic development of the information security requirements of practical software-intensive systems is typically ignored, at an inadequate level or relies heavily on the experience of the security professionals. However, it is obvio...
Obviously, there is a need for automated information security analysis, validation, evaluation and testing approaches. Unfortunately, there is no state-of-art approach to carrying out information security evaluation in a systematic way. Information security evaluation of software-intensive and telecommunications systems typically relies heavily on...
In order to obtain evidence about the security strength in products we need automated information security analysis, validation, evaluation and testing approaches. Unfortunately, no widely accepted practical approaches are available. Information security testing of software-intensive and telecommunications systems typically relies heavily on the ex...
Information security management is becoming an increasingly important concern in nowadays business cooperation. Information security issues, however, have a surprisingly dualistic nature: almost everyone seems to be somehow familiar with them, but very few have a deeper understanding. Due to its multifaceted nature, information security should not...
Information security management in industrial automation systems differs in many ways from typical office environment. Safety, reliability, availability and usability play the key roles. Infrastructures and devices with standardized implementations are increasingly being used in the industrial environment where traditionally isolated solutions have...
In order to better understand the achieved information security level in a product, system or organisation, information security managers must be able to get input from security objects. The use of information security metrics in certain Finnish industrial companies and State institutions, and its relation to the literature is studied. The techniqu...
Nowadays mobile devices are used in many professional business and leisure-time services. Major information security threats related to mobile services are examined from the service developer's perspective in this study. These threats can be categorized as mobile network, mobile device, digital convergence, authentication and payment threats, and s...
Component-based software architectures are being used more and more often in industry, creating new kinds of dynamic business relationships between the integrators and their partners in developing the components. In this kind of business it is especially important to ensure that both the components and the co-operation partners are trustworthy. One...
For senior executives, information security is a basic requirement for business success. Yet, despite being well-motivated, top managers often have only a superficial understanding of information security, which may lead them to make decisions that are not conducive to raising the organization's security level. Enhancing information security awaren...
Development of the information security requirements of practical telecommunications and software-intensive systems is typically at an inadequate level and relies heavily on the experience of the security professionals. Security requirements are in the focus in all phases of security engineering. Obviously, automated approaches are needed in this f...
Information security evaluation of software-intensive systems typically relies heavily on the experience of the security professionals.
Obviously, automated approaches are needed in this field. Unfortunately, there is no practical approach to carrying out security
evaluation in a systematic way. We introduce a general-level holistic framework for s...
Information security evaluation of software-intensive systems typically relies heavily on the experience of the security professionals.
Obviously, automated approaches are needed in this field. Unfortunately, there is no practical approach to carrying out security
evaluation in a systematic way. We introduce a general-level holistic framework for s...
Industrial automation systems are showing a strong trend towards convergence and networking. Infrastructures and devices with standardized implementations are increasingly being used in the industrial environment where traditionally isolated solutions have been used before. Information security management has become an important concern in the fiel...
Digital convergence, the growing complexity of subcontracting networks and the rise in new, unknown risks call for a new paradigm in information security management. Joint operation agreements between organizations as well as demands from third party actors, such as government and environmental activists, require novel information security manageme...
Usually, information security management practices do not explicitly take account of weak signals, factors that lie below
the detection surface, which may, however, constitute a huge security threat. This study analyses what kinds of weak signals
are present in information security, followed by a discussion on their detection. Responses to weak sig...
The inherent freedom due to a lack of central authority in self-organized mobile ad hoc networks introduces challenges for security and trust management. Arguably, trust management is the most critical security issue in mobile ad hoc networks. If nodes do not have any prior knowledge of each other, the trust establishment becomes complicated. In th...
Practical evidence of the actual security performance of network systems is needed in order to be able to manage them in an adequate way. As no measurement can be done before the object of the measurement has been defined, the goal in this study was to clarify if the attack tree approach could be utilized in defining which fields of specific protoc...
