1,315 research outputs found

    A Survey on Forensics and Compliance Auditing for Critical Infrastructure Protection

    Get PDF
    The broadening dependency and reliance that modern societies have on essential services provided by Critical Infrastructures is increasing the relevance of their trustworthiness. However, Critical Infrastructures are attractive targets for cyberattacks, due to the potential for considerable impact, not just at the economic level but also in terms of physical damage and even loss of human life. Complementing traditional security mechanisms, forensics and compliance audit processes play an important role in ensuring Critical Infrastructure trustworthiness. Compliance auditing contributes to checking if security measures are in place and compliant with standards and internal policies. Forensics assist the investigation of past security incidents. Since these two areas significantly overlap, in terms of data sources, tools and techniques, they can be merged into unified Forensics and Compliance Auditing (FCA) frameworks. In this paper, we survey the latest developments, methodologies, challenges, and solutions addressing forensics and compliance auditing in the scope of Critical Infrastructure Protection. This survey focuses on relevant contributions, capable of tackling the requirements imposed by massively distributed and complex Industrial Automation and Control Systems, in terms of handling large volumes of heterogeneous data (that can be noisy, ambiguous, and redundant) for analytic purposes, with adequate performance and reliability. The achieved results produced a taxonomy in the field of FCA whose key categories denote the relevant topics in the literature. Also, the collected knowledge resulted in the establishment of a reference FCA architecture, proposed as a generic template for a converged platform. These results are intended to guide future research on forensics and compliance auditing for Critical Infrastructure Protection.info:eu-repo/semantics/publishedVersio

    A systematic literature review on business-IT misalignment research

    Get PDF
    There has been a large body of research on strategic alignment between business and information technology, which has also been summarised in several literature reviews. All of these studies describe that business-IT alignment has remained a focal point among business and IT leaders. However, little is known about a specific perspective, namely, on business-IT misalignment, on which, although some analytical works have been carried out over the last twenty years, no literature review has been summarised. The purpose of this article is to display and analyze relevant literature regarding business-IT misalignment and map the influential issues by conducting a systematic literature review. This study collected in sum 642 papers published from the Scopus and Google Scholar databases. Finally, 62 articles were selected for the systematic review. The study examined eight research questions for business-IT misalignment derived from recent, high-impact business-IT alignment literature reviews. Results are analyzed qualitatively to find a better understanding of the current body of knowledge in business-IT misalignment and to provide a research agenda

    On the real world practice of Behaviour Driven Development

    Get PDF
    Surveys of industry practice over the last decade suggest that Behaviour Driven Development is a popular Agile practice. For example, 19% of respondents to the 14th State of Agile annual survey reported using BDD, placing it in the top 13 practices reported. As well as potential benefits, the adoption of BDD necessarily involves an additional cost of writing and maintaining Gherkin features and scenarios, and (if used for acceptance testing,) the associated step functions. Yet there is a lack of published literature exploring how BDD is used in practice and the challenges experienced by real world software development efforts. This gap is significant because without understanding current real world practice, it is hard to identify opportunities to address and mitigate challenges. In order to address this research gap concerning the challenges of using BDD, this thesis reports on a research project which explored: (a) the challenges of applying agile and undertaking requirements engineering in a real world context; (b) the challenges of applying BDD specifically and (c) the application of BDD in open-source projects to understand challenges in this different context. For this purpose, we progressively conducted two case studies, two series of interviews, four iterations of action research, and an empirical study. The first case study was conducted in an avionics company to discover the challenges of using an agile process in a large scale safety critical project environment. Since requirements management was found to be one of the biggest challenges during the case study, we decided to investigate BDD because of its reputation for requirements management. The second case study was conducted in the company with an aim to discover the challenges of using BDD in real life. The case study was complemented with an empirical study of the practice of BDD in open source projects, taking a study sample from the GitHub open source collaboration site. As a result of this Ph.D research, we were able to discover: (i) challenges of using an agile process in a large scale safety-critical organisation, (ii) current state of BDD in practice, (iii) technical limitations of Gherkin (i.e., the language for writing requirements in BDD), (iv) challenges of using BDD in a real project, (v) bad smells in the Gherkin specifications of open source projects on GitHub. We also presented a brief comparison between the theoretical description of BDD and BDD in practice. This research, therefore, presents the results of lessons learned from BDD in practice, and serves as a guide for software practitioners planning on using BDD in their projects

    Blockchain inspired secure and reliable data exchange architecture for cyber-physical healthcare system 4.0

    Get PDF
    A cyber-physical system is considered to be a collection of strongly coupled communication systems and devices that poses numerous security trials in various industrial applications including healthcare. The security and privacy of patient data is still a big concern because healthcare data is sensitive and valuable, and it is most targeted over the internet. Moreover, from the industrial perspective, the cyber-physical system plays a crucial role in the exchange of data remotely using sensor nodes in distributed environments. In the healthcare industry, Blockchain technology offers a promising solution to resolve most securities-related issues due to its decentralized, immutability, and transparency properties. In this paper, a blockchain-inspired secure and reliable data exchange architecture is proposed in the cyber-physical healthcare industry 4.0. The proposed system uses the BigchainDB, Tendermint, Inter-Planetary-File-System (IPFS), MongoDB, and AES encryption algorithms to improve Healthcare 4.0. Furthermore, blockchain-enabled secure healthcare architecture for accessing and managing the records between Doctors and Patients is introduced. The development of a blockchain-based Electronic Healthcare Record (EHR) exchange system is purely patient-centric, which means the entire control of data is in the owner's hand which is backed by blockchain for security and privacy. Our experimental results reveal that the proposed architecture is robust to handle more security attacks and can recover the data if 2/3 of nodes are failed. The proposed model is patient-centric, and control of data is in the patient's hand to enhance security and privacy, even system administrators can't access data without user permission

    La traduzione specializzata all’opera per una piccola impresa in espansione: la mia esperienza di internazionalizzazione in cinese di Bioretics© S.r.l.

    Get PDF
    Global markets are currently immersed in two all-encompassing and unstoppable processes: internationalization and globalization. While the former pushes companies to look beyond the borders of their country of origin to forge relationships with foreign trading partners, the latter fosters the standardization in all countries, by reducing spatiotemporal distances and breaking down geographical, political, economic and socio-cultural barriers. In recent decades, another domain has appeared to propel these unifying drives: Artificial Intelligence, together with its high technologies aiming to implement human cognitive abilities in machinery. The “Language Toolkit – Le lingue straniere al servizio dell’internazionalizzazione dell’impresa” project, promoted by the Department of Interpreting and Translation (Forlì Campus) in collaboration with the Romagna Chamber of Commerce (Forlì-Cesena and Rimini), seeks to help Italian SMEs make their way into the global market. It is precisely within this project that this dissertation has been conceived. Indeed, its purpose is to present the translation and localization project from English into Chinese of a series of texts produced by Bioretics© S.r.l.: an investor deck, the company website and part of the installation and use manual of the Aliquis© framework software, its flagship product. This dissertation is structured as follows: Chapter 1 presents the project and the company in detail; Chapter 2 outlines the internationalization and globalization processes and the Artificial Intelligence market both in Italy and in China; Chapter 3 provides the theoretical foundations for every aspect related to Specialized Translation, including website localization; Chapter 4 describes the resources and tools used to perform the translations; Chapter 5 proposes an analysis of the source texts; Chapter 6 is a commentary on translation strategies and choices

    Attributes in Cloud Service Descriptions : A comprehensive Content Analysis

    Get PDF
    The exponential growth of cloud services can make it challenging for customers to find the best available service. This problem is further aggregated by not comprehensive and non-standardized service descriptions on cloud providers’ websites. This issue has not yet been adequately researched. In response to this gap and following the call (Lehner & Floerecke, 2023) to analyse IT service catalogues directed toward external customers, the purpose of this work is to examine the attribute usage in customer-facing service descriptions available on providers’ websites. A literature review thereby identified 76 different attributes used for cloud service description. Although there are a vast number of attributes used for cloud service descriptions, a core of attributes that were named in most papers, could be detected. In a following step, a content analysis of 100 service descriptions available on cloud providers’ websites was performed to understand, how frequently each attribute was used in the cloud service description from Cloud providers in general and also differentiated by size, cloud service model (IaaS, PaaS, SaaS), and geographical location of the provider. The majority of attributes of the literature review could thereby be found in the content analysis as well. 15 more attributes have been added to the initial list as they could not be matched to any of the attributes from the literature. In addition, it could be verified that criteria such as size, service model, and geographical location have a significant impact on the attribute usage for service descriptions. Finally, expert interviews were conducted to get additional insights. The consent of the expert is that the main purpose of cloud service descriptions available on cloud providers’ websites is not necessarily to inform customers, but to attract and convince them. The insights of this work can provide valuable information to customers as well as cloud providers to understand, which attributes are currently used or not used for cloud service descriptions on provider’s websites. This research provides valuable information for both customers and cloud providers by identifying which attributes are currently used or not used for cloud service descriptions and can serve as a foundation for further research

    The future of internal auditing: how technology is shaping the profession

    Get PDF
    openThis thesis explores the integration of technology into internal auditing methods to enhance effectiveness and efficiency. The first chapter provides an overview of internal auditing, including its origins, objectives, and theoretical frameworks. Emphasis is placed on maintaining independence, corporate governance, and risk management. The second chapter focuses on planning and daily operations, detailing the steps involved in the audit process and generating reports for improvement. The core of the thesis lies in the third chapter, which highlights the impact of technology, such as Data Analytics, Automation, Process Mining, and Artificial Intelligence. These technologies aim to simplify tasks and enable continuous auditing and monitoring. A vertical passage will be made in the fourth chapter with reference to current regulations in technological issues

    Método de identificación de activos de información y conocimiento críticos para la gestión y gobierno de las organizaciones en la era digital

    Get PDF
    El presente documento ha sido estructurado en seis secciones, donde: Sección 1, presenta una introducción a este trabajo de tesis doctoral donde se indica lo que ha motivado a sus autores a desarrollarla, los objetivos que persigue y las aportaciones que brinda a las organizaciones o grupos de investigación. Sección 2, presenta un estado de la cuestión en el que se examinan las principales contribuciones en áreas relacionadas con esta investigación. Sección 3, presenta el desarrollo de la solución propuesta, donde se describen los materiales y métodos que se han examinado y utilizado. Sección 4, presenta un análisis de la aplicación de esta propuesta en dos casos reales con información accesible. Sección 5, presenta las conclusiones y trabajos futuros relacionados con esta investigación. La sección 6 presenta las referencias bibliográficas utilizadas en este documentoPrograma de Doctorado en Ciencia y Tecnología Informática por la Universidad Carlos III de MadridPresidenta: Ana María Moreno Sánchez-Capuchino.- Secretario: Germán Lenin Dugarte Peña.- Vocal: Francisco Javier Gil Rubi

    Three Essays on the Governance of Cybersecurity

    Get PDF
    This dissertation consists of three interrelated essays that examine the governance of cybersecurity. The first essay synthesizes the literature on the of cybersecurity risks and incidents to identify its drivers, informativeness, quality, theoretical perspectives, and future directions. The review identifies several drivers for cybersecurity disclosure, highlights that while the level of informativeness of such disclosure meets the usefulness expectations of regulators, its quality falls short, mostly lacks an explicit theoretical framework, and uses predominantly textual content analysis and event studies. The review identifies the need for research in both governance and management of cybersecurity disclosure, thus providing the motivation for the second and third essays. The second essay examines where cybersecurity risk oversight resides within a firm’s governance structure, what determines such positioning, and how it impacts the firm’s response to a cybersecurity breach. In proxy statements, breached firms explicitly disclose oversight assignment with a wide variation, ranging from full board to a named board committee - the audit committee being the most common. Results show that board connectedness and cyber competency are positively associated with oversight assignment, full board oversight is more likely with smaller boards, and boards’ shareholding and cyber competency steer oversight to the audit committee. In the event of a breach, the presence of oversight decreases the time firms take to announce and resolve the breach, as well as reduces the recurrence of breaches. While the audit committee cybersecurity oversight discloses and resolves the breach quicker, full board oversight leads to fewer recurrences. The increase of data breaches leads firms to adopt various risk management strategies, hence the third essay examines the relation between cyber insurance disclosure and a firm’s likelihood of being target of a future breach. Using textual analysis of the risk factors disclosed in 10-K filings and comparing cyber insurance disclosures of firms that are breached to those that are not, the evidence shows that firms disclosing cyber insurance have a significantly higher subsequent probability of being breached. Furthermore, it appears that disclosing cyber insurance leads to delayed public breach disclosure but more timely breach resolution, and higher breach recurrence

    Advanced analytical methods for fraud detection: a systematic literature review

    Get PDF
    The developments of the digital era demand new ways of producing goods and rendering services. This fast-paced evolution in the companies implies a new approach from the auditors, who must keep up with the constant transformation. With the dynamic dimensions of data, it is important to seize the opportunity to add value to the companies. The need to apply more robust methods to detect fraud is evident. In this thesis the use of advanced analytical methods for fraud detection will be investigated, through the analysis of the existent literature on this topic. Both a systematic review of the literature and a bibliometric approach will be applied to the most appropriate database to measure the scientific production and current trends. This study intends to contribute to the academic research that have been conducted, in order to centralize the existing information on this topic
    corecore