Visible to the public Biblio

Filters: Keyword is Stakeholders  [Clear All Filters]
2020-05-04
Steinke, Michael, Adam, Iris, Hommel, Wolfgang.  2018.  Multi-Tenancy-Capable Correlation of Security Events in 5G Networks. 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN). :1–6.
The concept of network slicing in 5G mobile networks introduces new challenges for security management: Given the combination of Infrastructure-as-a-Service cloud providers, mobile network operators as Software-as-a-Service providers, and the various verticals as customers, multi-layer and multi-tenancy-capable management architectures are required. This paper addresses the challenges for correlation of security events in such 5G scenarios with a focus on event processing at telecommunication service providers. After an analysis of the specific demand for network-slice-centric security event correlation in 5G networks, ongoing standardization efforts, and related research, we propose a multi-tenancy-capable event correlation architecture along with a scalable information model. The event processing, alerting, and correlation workflow is discussed and has been implemented in a network and security management system prototype, leading to a demonstration of first results acquired in a lab setup.
2020-03-12
Liang, Shiaofang, Li, Mingchen, Li, Wenjing.  2019.  Research on Traceability Algorithm of Logistics Service Transaction Based on Blockchain. 2019 18th International Symposium on Distributed Computing and Applications for Business Engineering and Science (DCABES). :186–189.

The traditional logistics transaction lacks a perfect traceability mechanism, and the data information's integrity and safety are not guaranteed in the existing traceability system. In order to solve the problem of main body responsibility caused by the participation of many stakeholders and the uncompleted supervision system in the process of logistics service transaction, This paper proposes a traceability algorithm for logistics service transactions based on blockchain. Based on the logistics service supply chain and alliance chain, the paper firstly investigates the traditional logistics service supply chain, analyzes the existing problems, and combines the structural characteristics of the blockchain to propose a decentralized new logistics service supply chain concept model based on blockchain. Then, using Globe sandara 1 to standardize the physical products and data circulating in the new logistics service supply chain, form unified and standard traceable data, and propose a multi-dimensional traceable data model based on logistics service supply chain. Based on the proposed model, combined with the business process of the logistics service supply chain and asymmetric encryption, a blockchain-based logistics service transaction traceability algorithm is designed. Finally, the simulation results show that the algorithm realizes the end-to-end traceability of the logistics service supply chain, and the service transaction is transparent while ensuring the integrity and security of the data.

Wu, Hanqing, Cao, Jiannong, Yang, Yanni, Tung, Cheung Leong, Jiang, Shan, Tang, Bin, Liu, Yang, Wang, Xiaoqing, Deng, Yuming.  2019.  Data Management in Supply Chain Using Blockchain: Challenges and a Case Study. 2019 28th International Conference on Computer Communication and Networks (ICCCN). :1–8.

Supply chain management (SCM) is fundamental for gaining financial, environmental and social benefits in the supply chain industry. However, traditional SCM mechanisms usually suffer from a wide scope of issues such as lack of information sharing, long delays for data retrieval, and unreliability in product tracing. Recent advances in blockchain technology show great potential to tackle these issues due to its salient features including immutability, transparency, and decentralization. Although there are some proof-of-concept studies and surveys on blockchain-based SCM from the perspective of logistics, the underlying technical challenges are not clearly identified. In this paper, we provide a comprehensive analysis of potential opportunities, new requirements, and principles of designing blockchain-based SCM systems. We summarize and discuss four crucial technical challenges in terms of scalability, throughput, access control, data retrieval and review the promising solutions. Finally, a case study of designing blockchain-based food traceability system is reported to provide more insights on how to tackle these technical challenges in practice.

2020-03-09
Ionescu, Tudor B., Engelbrecht, Gerhard.  2016.  The Privacy Case: Matching Privacy-Protection Goals to Human and Organizational Privacy Concerns. 2016 Joint Workshop on Cyber- Physical Security and Resilience in Smart Grids (CPSR-SG). :1–6.

Processing smart grid data for analytics purposes brings about a series of privacy-related risks. In order to allow for the most suitable mitigation strategies, reasonable privacy risks need to be addressed by taking into consideration the perspective of each smart grid stakeholder separately. In this context, we use the notion of privacy concerns to reflect potential privacy risks from the perspective of different smart grid stakeholders. Privacy concerns help to derive privacy goals, which we represent using the goals structuring notation. Thus represented goals can more comprehensibly be addressed through technical and non-technical strategies and solutions. The thread of argumentation - from concerns to goals to strategies and solutions - is presented in form of a privacy case, which is analogous to the safety case used in the automotive domain. We provide an exemplar privacy case for the smart grid developed as part of the Aspern Smart City Research project.

2019-05-08
Balogun, A. M., Zuva, T..  2018.  Criminal Profiling in Digital Forensics: Assumptions, Challenges and Probable Solution. 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC). :1–7.

Cybercrime has been regarded understandably as a consequent compromise that follows the advent and perceived success of the computer and internet technologies. Equally effecting the privacy, trust, finance and welfare of the wealthy and low-income individuals and organizations, this menace has shown no indication of slowing down. Reports across the world have consistently shown exponential increase in the numbers and costs of cyber-incidents, and more worriedly low conviction rates of cybercriminals, over the years. Stakeholders increasingly explore ways to keep up with containing cyber-incidents by devising tools and techniques to increase the overall efficiency of investigations, but the gap keeps getting wider. However, criminal profiling - an investigative technique that has been proven to provide accurate and valuable directions to traditional crime investigations - has not seen a widespread application, including a formal methodology, to cybercrime investigations due to difficulties in its seamless transference. This paper, in a bid to address this problem, seeks to preliminarily identify the exact benefits criminal profiling has brought to successful traditional crime investigations and the benefits it can translate to cybercrime investigations, identify the challenges posed by the cyber-scene to its implementation in cybercrime investigations, and proffer a practicable solution.

2019-03-28
Varga, S., Brynielsson, J., Franke, U..  2018.  Information Requirements for National Level Cyber Situational Awareness. 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). :774-781.

As modern societies become more dependent on IT services, the potential impact both of adversarial cyberattacks and non-adversarial service management mistakes grows. This calls for better cyber situational awareness-decision-makers need to know what is going on. The main focus of this paper is to examine the information elements that need to be collected and included in a common operational picture in order for stakeholders to acquire cyber situational awareness. This problem is addressed through a survey conducted among the participants of a national information assurance exercise conducted in Sweden. Most participants were government officials and employees of commercial companies that operate critical infrastructure. The results give insight into information elements that are perceived as useful, that can be contributed to and required from other organizations, which roles and stakeholders would benefit from certain information, and how the organizations work with creating cyber common operational pictures today. Among findings, it is noteworthy that adversarial behavior is not perceived as interesting, and that the respondents in general focus solely on their own organization.

2019-03-04
Kannavara, R., Vangore, J., Roberts, W., Lindholm, M., Shrivastav, P..  2018.  Automating Threat Intelligence for SDL. 2018 IEEE Cybersecurity Development (SecDev). :137–137.
Threat intelligence is very important in order to execute a well-informed Security Development Lifecycle (SDL). Although there are many readily available solutions supporting tactical threat intelligence focusing on enterprise Information Technology (IT) infrastructure, the lack of threat intelligence solutions focusing on SDL is a known gap which is acknowledged by the security community. To address this shortcoming, we present a solution to automate the process of mining open source threat information sources to deliver product specific threat indicators designed to strategically inform the SDL while continuously monitoring for disclosures of relevant potential vulnerabilities during product design, development, and beyond deployment.
2019-02-08
Ioini, N. E., Pahl, C..  2018.  Trustworthy Orchestration of Container Based Edge Computing Using Permissioned Blockchain. 2018 Fifth International Conference on Internet of Things: Systems, Management and Security. :147-154.

The need to process the verity, volume and velocity of data generated by today's Internet of Things (IoT) devices has pushed both academia and the industry to investigate new architectural alternatives to support the new challenges. As a result, Edge Computing (EC) has emerged to address these issues, by placing part of the cloud resources (e.g., computation, storage, logic) closer to the edge of the network, which allows faster and context dependent data analysis and storage. However, as EC infrastructures grow, different providers who do not necessarily trust each other need to collaborate in order serve different IoT devices. In this context, EC infrastructures, IoT devices and the data transiting the network all need to be subject to identity and provenance checks, in order to increase trust and accountability. Each device/data in the network needs to be identified and the provenance of its actions needs to be tracked. In this paper, we propose a blockchain container based architecture that implements the W3C-PROV Data Model, to track identities and provenance of all orchestration decisions of a business network. This architecture provides new forms of interaction between the different stakeholders, which supports trustworthy transactions and leads to a new decentralized interaction model for IoT based applications.

2019-01-31
Sampigethaya, K., Kopardekar, P., Davis, J..  2018.  Cyber Security of Unmanned Aircraft System Traffic Management (UTM). 2018 Integrated Communications, Navigation, Surveillance Conference (ICNS). :1C1–1–1C1–15.

Millions of small Unmanned Aircraft System (sUAS) aircraft of various shapes and capabilities will soon fly at low altitudes in urban environments for ambitious applications. It is critical to ensure these remotely piloted aircraft fly safely, predictably, and efficiently in this challenging airspace, without endangering themselves and other occupants sharing that airspace or in proximity. Concepts, technologies, processes, and policies to solve this hard problem of UAS Traffic Management (UTM) are being explored. But, cyber security considerations are largely missing. This paper bridges this gap and addresses UTM cyber security needs and issues. It contributes a comprehensive framework to understand, identify, classify, and assess security threats to UTM, including those resulting from sUAS vulnerabilities. Promising threat mitigations, major challenges, and research directions are discussed to secure UTM.

2018-09-12
Jillepalli, A. A., Sheldon, F. T., Leon, D. C. de, Haney, M., Abercrombie, R. K..  2017.  Security management of cyber physical control systems using NIST SP 800-82r2. 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC). :1864–1870.

Cyber-attacks and intrusions in cyber-physical control systems are, currently, difficult to reliably prevent. Knowing a system's vulnerabilities and implementing static mitigations is not enough, since threats are advancing faster than the pace at which static cyber solutions can counteract. Accordingly, the practice of cybersecurity needs to ensure that intrusion and compromise do not result in system or environment damage or loss. In a previous paper [2], we described the Cyberspace Security Econometrics System (CSES), which is a stakeholder-aware and economics-based risk assessment method for cybersecurity. CSES allows an analyst to assess a system in terms of estimated loss resulting from security breakdowns. In this paper, we describe two new related contributions: 1) We map the Cyberspace Security Econometrics System (CSES) method to the evaluation and mitigation steps described by the NIST Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82r2. Hence, presenting an economics-based and stakeholder-aware risk evaluation method for the implementation of the NIST-SP-800-82 guide; and 2) We describe the application of this tailored method through the use of a fictitious example of a critical infrastructure system of an electric and gas utility.

2018-04-02
Zghidi, A., Hammouda, I., Hnich, B., Knauss, E..  2017.  On the Role of Fitness Dimensions in API Design Assessment - An Empirical Investigation. 2017 IEEE/ACM 1st International Workshop on API Usage and Evolution (WAPI). :19–22.

In this paper we present a case study of applying fitness dimensions in API design assessment. We argue that API assessment is company specific and should take into consideration various stakeholders in the API ecosystem. We identified new fitness dimensions and introduced the notion of design considerations for fitness dimensions such as priorities, tradeoffs, and technical versus cognitive classification.

2018-02-27
Ramadan, Q., Salnitriy, M., Strüber, D., Jürjens, J., Giorgini, P..  2017.  From Secure Business Process Modeling to Design-Level Security Verification. 2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS). :123–133.

Tracing and integrating security requirements throughout the development process is a key challenge in security engineering. In socio-technical systems, security requirements for the organizational and technical aspects of a system are currently dealt with separately, giving rise to substantial misconceptions and errors. In this paper, we present a model-based security engineering framework for supporting the system design on the organizational and technical level. The key idea is to allow the involved experts to specify security requirements in the languages they are familiar with: business analysts use BPMN for procedural system descriptions; system developers use UML to design and implement the system architecture. Security requirements are captured via the language extensions SecBPMN2 and UMLsec. We provide a model transformation to bridge the conceptual gap between SecBPMN2 and UMLsec. Using UMLsec policies, various security properties of the resulting architecture can be verified. In a case study featuring an air traffic management system, we show how our framework can be practically applied.

2018-02-15
Hibshi, H., Breaux, T. D..  2017.  Reinforcing Security Requirements with Multifactor Quality Measurement. 2017 IEEE 25th International Requirements Engineering Conference (RE). :144–153.

Choosing how to write natural language scenarios is challenging, because stakeholders may over-generalize their descriptions or overlook or be unaware of alternate scenarios. In security, for example, this can result in weak security constraints that are too general, or missing constraints. Another challenge is that analysts are unclear on where to stop generating new scenarios. In this paper, we introduce the Multifactor Quality Method (MQM) to help requirements analysts to empirically collect system constraints in scenarios based on elicited expert preferences. The method combines quantitative statistical analysis to measure system quality with qualitative coding to extract new requirements. The method is bootstrapped with minimal analyst expertise in the domain affected by the quality area, and then guides an analyst toward selecting expert-recommended requirements to monotonically increase system quality. We report the results of applying the method to security. This include 550 requirements elicited from 69 security experts during a bootstrapping stage, and subsequent evaluation of these results in a verification stage with 45 security experts to measure the overall improvement of the new requirements. Security experts in our studies have an average of 10 years of experience. Our results show that using our method, we detect an increase in the security quality ratings collected in the verification stage. Finally, we discuss how our proposed method helps to improve security requirements elicitation, analysis, and measurement.

2018-02-06
Brunner, M., Sillaber, C., Breu, R..  2017.  Towards Automation in Information Security Management Systems. 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS). :160–167.

Establishing and operating an Information Security Management System (ISMS) to protect information values and information systems is in itself a challenge for larger enterprises and small and medium sized businesses alike. A high level of automation is required to reduce operational efforts to an acceptable level when implementing an ISMS. In this paper we present the ADAMANT framework to increase automation in information security management as a whole by establishing a continuous risk-driven and context-aware ISMS that not only automates security controls but considers all highly interconnected information security management tasks. We further illustrate how ADAMANT is suited to establish an ISO 27001 compliant ISMS for small and medium-sized enterprises and how not only the monitoring of security controls but a majority of ISMS related activities can be supported through automated process execution and workflow enactment.

2018-02-02
Xu, B., Lu, M., Zhang, D..  2017.  A Software Security Case Developing Method Based on Hierarchical Argument Strategy. 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). :632–633.

Security cases-which document the rationale for believing that a system is adequately secure-have not been sufficiently used for a lack of practical construction method. This paper presents a hierarchical software security case development method to address this issue. We present a security concept relationship model first, then come up with a hierarchical asset-threat-control measure argument strategy, together with the consideration of an asset classification and threat classification for software security case. Lastly, we propose 11 software security case patterns and illustrate one of them.

2017-11-20
Rudolph, M., Moucha, C., Feth, D..  2016.  A Framework for Generating User-and Domain-Tailored Security Policy Editors. 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW). :56–61.

In modern enterprises, incorrect or inconsistent security policies can lead to massive damage, e.g., through unintended data leakage. As policy authors have different skills and background knowledge, usable policy editors have to be tailored to the author's individual needs and to the corresponding application domain. However, the development of individual policy editors and the customization of existing ones is an effort consuming task. In this paper, we present a framework for generating tailored policy editors. In order to empower user-friendly and less error-prone specification of security policies, the framework supports multiple platforms, policy languages, and specification paradigms.

2017-03-07
Rashid, A., Moore, K., May-Chahal, C., Chitchyan, R..  2015.  Managing Emergent Ethical Concerns for Software Engineering in Society. 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. 2:523–526.

This paper presents an initial framework for managing emergent ethical concerns during software engineering in society projects. We argue that such emergent considerations can neither be framed as absolute rules about how to act in relation to fixed and measurable conditions. Nor can they be addressed by simply framing them as non-functional requirements to be satisficed. Instead, a continuous process is needed that accepts the 'messiness' of social life and social research, seeks to understand complexity (rather than seek clarity), demands collective (not just individual) responsibility and focuses on dialogue over solutions. The framework has been derived based on retrospective analysis of ethical considerations in four software engineering in society projects in three different domains.

Armin, J., Thompson, B., Ariu, D., Giacinto, G., Roli, F., Kijewski, P..  2015.  2020 Cybercrime Economic Costs: No Measure No Solution. 2015 10th International Conference on Availability, Reliability and Security. :701–710.

Governments needs reliable data on crime in order to both devise adequate policies, and allocate the correct revenues so that the measures are cost-effective, i.e., The money spent in prevention, detection, and handling of security incidents is balanced with a decrease in losses from offences. The analysis of the actual scenario of government actions in cyber security shows that the availability of multiple contrasting figures on the impact of cyber-attacks is holding back the adoption of policies for cyber space as their cost-effectiveness cannot be clearly assessed. The most relevant literature on the topic is reviewed to highlight the research gaps and to determine the related future research issues that need addressing to provide a solid ground for future legislative and regulatory actions at national and international levels.

2017-02-14
R. Leszczyna, M. Łosiński, R. Małkowski.  2015.  "Security information sharing for the polish power system". 2015 Modern Electric Power Systems (MEPS). :1-6.

The Polish Power System is becoming increasingly more dependent on Information and Communication Technologies which results in its exposure to cyberattacks, including the evolved and highly sophisticated threats such as Advanced Persistent Threats or Distributed Denial of Service attacks. The most exposed components are SCADA systems in substations and Distributed Control Systems in power plants. When addressing this situation the usual cyber security technologies are prerequisite, but not sufficient. With the rapidly evolving cyber threat landscape the use of partnerships and information sharing has become critical. However due to several anonymity concerns the relevant stakeholders may become reluctant to exchange sensitive information about security incidents. In the paper a multi-agent architecture is presented for the Polish Power System which addresses the anonymity concerns.