8. Enabling Continuous Privacy Risk Management in IoT Systems

To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Full-text available
Industry in all sectors is experiencing a profound digital transformation that puts software at the core of their businesses. To react to continuously changing user requirements and dynamic markets, companies need to build robust workflows that allow them to increase their agility in order to remain competitive. This increasingly rapid transformation, especially in domains such as Internet of things or cloud computing, poses significant challenges to guarantee high‐quality software, since dynamism and agile short‐term planning reduce the ability to detect and manage risks. In this study, the authors describe the main challenges related to managing risk in agile software development, building on the experience of more than 20 agile coaches operating continuously for 15 years with hundreds of teams in industries in all sectors. They also propose a framework to manage risks that consider those challenges and supports collaboration, agility, and continuous development. An implementation of that framework is then described in a tool that handles risks and mitigation actions associated with the development of multi‐cloud applications. The methodology and the tool have been validated by a team of evaluators that were asked to consider its use in developing an urban smart mobility service and an airline flight scheduling system.
Conference Paper
Full-text available
Critical infrastructures and industrial control systems are complex Cyber-Physical Systems (CPS). To ensure reliable operations of such systems, comprehensive threat modeling during system design and validation is of paramount significance. Previous works in literature mostly focus on safety, risks and hazards in CPS but lack effective threat modeling necessary to eliminate cyber vulnerabilities. Further, impact of cyber attacks on physical processes is not fully understood. This paper presents a comprehensive threat modeling framework for CPS using STRIDE, a systematic approach for ensuring system security at the component level. This paper first devises a feasible and effective methodology for applying STRIDE and then demonstrates it against a real synchrophasor-based synchronous islanding testbed in the laboratory. It investigates (i) what threat types could emerge in each system component based on the security properties lacking, and (ii) how a vulnerability in a system component risks the entire system security. The paper identifies that STRIDE is a light-weight and effective threat modeling methodology for CPS that simplifies the task for security analysts to identify vulnerabilities and plan appropriate component level security measures at the system design stage.
Full-text available
Risk management in distributed software development (DSD) is a well-researched area, providing different methods for assessing risks and suggesting control strategies. However, some of these methods are narrow in scope, only considering few risks, and are too complex to be used in practice whereas others provide many rules and guidelines which are often implicit. Moreover, the knowledge related to risks in DSD is scattered over different publications which make it difficult to find relevant information to be used in practice. This research aims to develop an automated decision support system to aid practitioners in assessing risks and deciding on suitable control strategies. In order to construct the knowledge base for the proposed decision support system, a systematic literature review (SLR) is conducted. Results of SLR are used to identify required questions, options and set of rules to implement our decision support system (DSS). In total 80 studies were identified from which 49 aspects, 53 questions and a set of rules are extracted. DSS is evaluated through multiple case studies. The results indicate that the developed DSS supports decision-making process in risk assessment and selection of control strategy. OAPA
Full-text available
Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.
Full-text available
Incident response is a critical security function in organisations that aims to manage incidents in a timely and cost-effective manner. This research was motivated by previous case studies that suggested that the practice of incident response frequently did not result in the improvement of strategic security processes such as policy development and risk assessment. An exploratory in-depth case study was performed at a large global financial institution to examine shortcomings in the practice of incident response. The case study revealed the practice of incident response, in accordance with detailed best-practice guidelines, tended to adopt a narrow technical focus aimed at maintaining business continuity whilst neglecting strategic security concerns. The case study also revealed that the (limited) post-incident review process focused on ‘high-impact’ incidents rather than ‘high-learning’ (i.e. potentially useful incidents from a learning perspective) incidents and ‘near misses’. In response to this case study, we propose a new double-loop model for incident learning to address potential systemic corrective action in such areas as the risk assessment and policy development processes.
The Internet of Things (IoT) has recently become one of the most relevant emerging technologies in the IT landscape. IoT systems are characterized by the high heterogeneity of involved architectural components (e.g., device platforms, services, networks, architectures) and involve a multiplicity of application domains. In the IoT scenario, the identification of specific security requirements and the security design are very complex and expensive tasks, since they heavily depend on the configuration deployment actually in place and require security experts. In order to overcome these issues, we propose an approach aimed at supporting the security analysis of an IoT system by means of an almost completely automated process for threat modeling and risk assessment, which also helps identify the security controls to implement in order to mitigate existing security risks. We demonstrate the effectiveness of the approach by discussing its application to a home automation system, built on top of commercial IoT products.
Context Distributed agile development (DAD) approach has been adopted by the software companies for cost and time benefits. However, it causes significant challenges considering the contradicting nature of the agile and distributed development. Objective The objective of this study is to develop a risk management framework that comprises the perceived risks in DAD projects, their causes and the methods used in industry for managing those risks. Method This work is an extension of an exploratory study, wherein, DAD practitioners reported the risks they face in projects and the methods they use for managing those risks. The identified risks were further categorized based on their relevance to different aspects of DAD projects. In this extension, industry practitioners ranked the risks for their impact on DAD projects and rated the methods for the frequency of their use in projects. As the number of risks under each category was large for ranking, they were grouped under the risk areas within each category. The ranking of risk categories, risk areas and risk factors for their impact on DAD projects manifests their importance. The framework includes ranked risks, their causes and the risk management approaches. It was partially implemented in live projects in three different companies and was found to be beneficial. Results The perceived impact of the risk categories, ‘Group Awareness’, ‘External Stakeholder Collaboration’ and ‘Software Development Life Cycle’ on DAD projects has been found to be high and caused by the properties of Distributed Software Development (DSD). The partial validation of the framework in three companies reported the elimination of majority of risk factors and/or reduction in their impact. Conclusion DAD projects provide significant benefits but hold substantial risks due to the contradiction between distributed development and agile practices. The reported framework could effectively minimize the DAD risks in practice.
Conference Paper
Our earlier work indicates feasibility of eliciting multi-cloud requirements and thus identifying selectable cloud services based on a risk-driven approach. Once an overview of the selectable services that treat a specific risk is obtained, a decision needs to be taken regarding the final selection. This position paper focuses on providing a practical and simple approach to choosing a concrete cloud service (or a set of thereof) when several alternatives are available. We propose a risk-driven cost-benefit analysis approach and exemplify how a decision maker, such as a business analyst or a multi-cloud architecture designer, can apply it in the context of cloud service selection. The strength of the approach is in its simplicity, since the approach is based on a set of relatively comprehensible guidelines. Still, we consider this to be work in progress, since an analysis of how to combine a set of interdependent cloud services (which address several respective risks) is necessary for enabling a full-scale design of a multi-cloud based architecture.
A software development ecosystem composed of nine working elements makes it possible to continuously secure application software throughout the entire Software Development Lifecycle (SDLC) and while it's in production use. By orchestrating the activity of these nine elements, organizations and their leadership can reliably and repeatedly produce high-quality software that can stand up to attacks or rapidly recover from intentional or unintentional malicious activity.
Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of protection for a company's information assets and for the company as a whole. One of the best ways to address information security problems in the corporate world is through a risk-based approach. In this paper, we present a taxonomy of security risk assessment drawn from 125 papers published from 1995 to May 2014. Organizations with different size may face problems in selecting suitable risk assessment methods that satisfy their needs. Although many risk-based approaches have been proposed, most of them are based on the old taxonomy, avoiding the need for considering and applying the important criteria in assessing risk raised by rapidly changing technologies and the attackers knowledge level. In this paper, we discuss the key features of risk assessment that should be included in an information security management system. We believe that our new risk assessment taxonomy helps organizations to not only understand the risk assessment better by comparing different new concepts but also select a suitable way to conduct the risk assessment properly. Moreover, this taxonomy will open up interesting avenues for future research in the growing field of security risk assessment.
Internet of Things (IoT) is going to create a world where physical objects are seamlessly integrated into information networks in order to provide advanced and intelligent services for human-beings. Trust management plays an important role in IoT for reliable data fusion and mining, qualified services with context-awareness, and enhanced user privacy and information security. It helps people overcome perceptions of uncertainty and risk and engages in user acceptance and consumption on IoT services and applications. However, current literature still lacks a comprehensive study on trust management in IoT. In this paper, we investigate the properties of trust, propose objectives of IoT trust management, and provide a survey on the current literature advances towards trustworthy IoT. Furthermore, we discuss unsolved issues, specify research challenges and indicate future research trends by proposing a research model for holistic trust management in IoT.
From the Book:Why We Wrote This BookTrue believers represent software development alternativesIn the last few years, two ostensibly conflicting approaches to software development have competed for hegemony. Agile method supporters released a manifesto that shifts the focus from traditional plan-driven, process-based methods to lighter, more adaptive paradigms. Traditional methods have reasserted the need for strong process discipline and rigorous practices. True believers on both sides have raised strident, often antagonistic, voices. This book is for the rest of us We wrote this book for the rest of us—those caught in the middle of the method wars simply trying to get our projects completed and accepted within too-tight schedules and budgets. We hope to clarify the perplexity about the roles of discipline, agility, and process in software development. We objectively compare and contrast the traditional, plan-driven approaches to the newer, agile approaches and present an overview of their home grounds, strengths, and weaknesses. We then describe a risk-based approach to aid in balancing agility and discipline within a software development project. Our goal is to help you in your business environment We hope that this is a practical book. It is intended to be neither academic nor exhaustive, but pragmatic. It is based on our own development experiences, current and past literature, long conversations with proponents of agile and plan-driven approaches, teaching students how to balance discipline and agility, and years of observing and measuring software development in industry, government, and academia. We discuss the subjectmatter absent a need to choose sides. Our goal is to help you gain the understanding and information you need to integrate the approaches in a manner that best fits your business environment. Who Should Read This Book The perplexed—or just curious This book is for perplexed software and management professionals who have heard the buzz about agile methods and want to separate the chaff from the wheat. Perhaps you have a CMM- or ISO-certified organization and want to know if and how agile methods can help you. Or perhaps some part of your organization has adopted agile methods and you are unsure of how they should fit in. Fundamentally, if you need to understand how the latest software development approaches can help meet business goals, this book is for you. Software project managers and mid-level executives should read this book to understand the agility/plan-driven controversy and learn how best to apply the new approaches in your organizations. Software developers should read this book to better understand how your field is evolving and what it means for your career.Computer science and software engineering students should read this book to better understand how to make choices about your own level of discipline, both in school and at work. Academicians should read this book to understand some of what your students are asking about, and how to help them make informed decisions.Proponents of both agile and plan-driven methods should read this book to dispassionately look at your opponent's ideas.CIOs and CEOs should read this book to help you understand what's going on in the software world and what implications it may have for your company.How To Read This Book Several ways to read the book Most of you are busy people, and "must-read" material attacks you from all sides, 24/7. Some of you want to quickly assess the material for later reflection. Others want to know how to implement the concepts we present. For that reason, we've tried to make this book easy to read quickly but with pointers to more in-depth material. In a hurry? Use the fast track for a quick overview If time is short, use the fast track summaries to scan the total content of the book, stopping to read things you find interesting or particularly applicable to your needs, and following the icons for specific technical information. If you find you need even more detailed material, there are references as well as a list of additional resources in Appendix F. First and last chapters are key You can also tailor your reading through chapter selection. Reading the first and last chapters gives a pretty good idea of the material at a familiarization level. You can read the chapters in any order. Here is a quick summary:The first chapter sets the stage for what follows. It introduces the main points and provides an executive summary of the book.Chapter 2 compares the agile and plan-driven approaches and provides insight into the type of projects where each has been most successful—their home grounds.Chapter 3 provides an experiential introduction to the approaches by describing how both a typical and not-so-typical day might be spent using each.Chapter 4 presents two project case studies that illustrate the limits of pure agile and pure plan-driven implementations and the benefits of integrating the approaches.Chapter 5 describes a risk-based approach for making methodology decisions that integrate agile and plan-driven practices, and illustrates it with representative examples. Chapter 6 summarizes the material and offers some final observations. Appendix A provides top-level descriptions of the major agile and plan-driven methods, highlighting their primary distinguishing factors, and a summary of those factors for comparison.Appendices B-E provide technical and background information to support our analyses and speak to specific technical topics. Appendix F supplies references and the endnotes are listed by chapter in Appendix G. 0321186125P04142003
Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today's information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization.
DeMarco's "Structured Analysis and System Specification" is the final paper chosen for inclusion in this book of classic articles on the structured revolution. It is last of three on the subject of analysis, and, together with Ross/Schoman [Paper 22] and Teichroew/Hershey [Paper 23], provides a good idea of the direction that structured analysis will be taking in the next few years. Any competent systems analyst undoubtedly could produce a five-page essay on "What's Wrong with Conventional Analysis." DeMarco, being an ex-analyst, does so with pithy remarks, describing conventional analysis as follows" "Instead of a meaningful interaction between analyst and user, there is often a period of fencing followed by the two parties' studiously ignoring each other... The cost-benefit study is performed backwards by deriving the development budget as a function of expected savings. (Expected savings were calculated by prorating cost reduction targets handed down from On High.)" In addition to providing refreshing prose, DeMarco's approach differs somewhat --- in terms of emphasis --- from that of Teichroew/Hershey and of Ross/Schoman. Unlike his colleagues, DeMarco stresses the importance of the maintainability of the specification. Take, for instance, the case of one system consisting of six million lines of COBOL and written over a period of ten years by employees no longer with the organization. Today, nobody knows what the system does.t Not only have the program listings and source code been lost --- a relatively minor disaster that we all have seen too often --- but the specifications are completely out of date. Moreover, the system has grown so large that neither the users nor the data processing people have the faintest idea of what the system is supposed to be doing, let alone how the mysterious job is being accomplished! The example is far from hypothetical, for this is the fate that all large systems eventually will suffer, unless steps are taken to keep the specifications both current and understandable across generations of users. The approach that DeMarco suggests --- an approach generally known today as structured analysis --- is similar in form to that proposed by Ross and Schoman, and emphasizes a top-down, partitioned, graphic model of the system-to-be. However, in contrast to Ross and Schoman, DeMarco also stresses the important role of a data dictionary and the role of scaled-down specifications, or minispecs, to be written in a rigorous subset of the English language known as Structured English. DeMarco also explains carefully how the analyst proceeds lrom a physical description of the user's current system, through a logical description of that same system, and eventually into a logical description of the new system that the user wants. Interestingly, DeMarco uses top-down, partitioned dataflow diagrams to illustrate this part of the so-called Project Life Cycle --- thus confirming that such a graphic model can be used to portray virtually any system. As in other short papers on the subject, the details necessary for carrying out DeMarco's approach are missing or are dealt with in a superficial manner. Fortunately, the details can be found: Listed at the end of the paper are references to three full-length books and one videotape training course, all dealing with the kind of analysis approach recommended by DeMarco.
ENACT: Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems
  • N Ferry
  • A Solberg
  • H Song
  • S Lavirotte
  • J.-Y Tigli
  • T Winter
  • V Muntés-Mulero
  • A Metzger
  • E R Velasco
  • A C Aguirre
Ferry, N., A. Solberg, H. Song, S. Lavirotte, J.-Y. Tigli, T. Winter, V. Muntés-Mulero, A. Metzger, E. R. Velasco, and A. C. Aguirre. 2018. "ENACT: Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems". In: International Workshop on Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment. Springer. 112-127.
Risk-driven framework for decision support in cloud service selection
  • S Gupta
  • V Muntés-Mulero
  • P Matthews
  • J Dominiak
  • A Omerovic
  • J Aranda
  • S Seycek
Gupta, S., V. Muntés-Mulero, P. Matthews, J. Dominiak, A. Omerovic, J. Aranda, and S. Seycek. 2015. "Risk-driven framework for decision support in cloud service selection". In: 2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. IEEE. 545-554.
Towards an Analytics-Driven Information Security Risk Management: A Contingent Resource Based Perspective
  • H Naseer
  • G Shanks
  • A Ahmad
  • S Maynard
Naseer, H., G. Shanks, A. Ahmad, and S. Maynard. 2017. "Towards an Analytics-Driven Information Security Risk Management: A Contingent Resource Based Perspective". Procs of ECIS 2017 : 2645-2655.
Threat modeling: Designing for security
  • A Shostack
Shostack, A. 2014. Threat modeling: Designing for security. John Wiley & Sons.
Privacy Threats in Software Architectures
  • K Wuyts
Wuyts, K. 2015. "Privacy Threats in Software Architectures".