Evaluation and Improvement of Internet Voting Schemes Based on Legally-Founded Security Requirements

In recent years, several nations and private associations have introduced Internet voting as additional means to conduct elections. To date, a variety of voting schemes to conduct Internet-based elections have been constructed, both from the scientific community and industry. Because of its fundamental importance to democratic societies, Internet voting – as any other voting method – is bound to high legal standards, particularly imposing security requirements on the voting method. However, these legal standards, and resultant derived security requirements, partially oppose each other. As a consequence, Internet voting schemes cannot enforce these legally-founded security requirements to their full extent, but rather build upon specific assumptions. The criticality of these assumptions depends on the target election setting, particularly the adversary expected within that setting. Given the lack of an election-specific evaluation framework for these assumptions, or more generally Internet voting schemes, the adequacy of Internet voting schemes for specific elections cannot readily be determined. Hence, selecting the Internet voting scheme that satisfies legally-founded security requirements within a specific election setting in the most appropriate manner, is a challenging task. To support election officials in the selection process, the first goal of this dissertation is the construction of a evaluation framework for Internet voting schemes based on legally-founded security requirements. Therefore, on the foundation of previous interdisciplinary research, legally-founded security requirements for Internet voting schemes are derived. To provide election officials with improved decision alternatives, the second goal of this dissertation is the improvement of two established Internet voting schemes with regard to legally-founded security requirements, namely the Polyas Internet voting scheme and the Estonian Internet voting scheme. Our research results in five (partially opposing) security requirements for Internet voting schemes. On the basis of these security requirements, we construct a capability-based risk assessment approach for the security evaluation of Internet voting schemes in specific election settings. The evaluation of the Polyas scheme reveals the fact that compromised voting devices can alter votes undetectably. Considering surrounding circumstances, we eliminate this shortcoming by incorporating out of band codes to acknowledge voters’ votes. It turns out that in the Estonian scheme, four out of five security requirements rely on the correct behaviour of voting devices. We improve the Estonian scheme in that regard by incorporating out of band voting and acknowledgment codes. Thereby, we maintain four out of five security requirements against adversaries capable of compromising voting devices

Risk Assessment Framework for Evaluation of Cybersecurity Threats and Vulnerabilities in Medical Devices

Medical devices are vulnerable to cybersecurity exploitation and, while they can provide improvements to clinical care, they can put healthcare organizations and their patients at risk of adverse impacts. Evidence has shown that the proliferation of devices on medical networks present cybersecurity challenges for healthcare organizations due to their lack of built-in cybersecurity controls and the inability for organizations to implement security controls on them. The negative impacts of cybersecurity exploitation in healthcare can include the loss of patient confidentiality, risk to patient safety, negative financial consequences for the organization, and loss of business reputation. Assessing the risk of vulnerabilities and threats to medical devices can inform healthcare organizations toward prioritization of resources to reduce risk most effectively. In this research, we build upon a database-driven approach to risk assessment that is based on the elements of threat, vulnerability, asset, and control (TVA-C). We contribute a novel framework for the cybersecurity risk assessment of medical devices. Using a series of papers, we answer questions related to the risk assessment of networked medical devices. We first conducted a case study empirical analysis that determined the scope of security vulnerabilities in a typical computerized medical environment. We then created a cybersecurity risk framework to identify threats and vulnerabilities to medical devices and produce a quantified risk assessment. These results supported actionable decision making at managerial and operational levels of a typical healthcare organization. Finally, we applied the framework using a data set of medical devices received from a partnering healthcare organization. We compare the assessment results of our framework to a commercial risk assessment vulnerability management system used to analyze the same assets. The study also compares our framework results to the NIST Common Vulnerability Scoring System (CVSS) scores related to identified vulnerabilities reported through the Common Vulnerability and Exposure (CVE) program. As a result of these studies, we recognize several contributions to the area of healthcare cybersecurity. To begin with, we provide the first comprehensive vulnerability assessment of a robotic surgical environment, using a da Vinci surgical robot along with its supporting computing assets. This assessment supports the assertion that networked computer environments are at risk of being compromised in healthcare facilities. Next, our framework, known as MedDevRisk, provides a novel method for risk quantification. In addition, our assessment approach uniquely considers the assets that are of value to a medical organization, going beyond the medical device itself. Finally, our incorporation of risk scenarios into the framework represents a novel approach to medical device risk assessment, which was synthesized from other well-known standards. To our knowledge, our research is the first to apply a quantified assessment framework to the problem area of healthcare cybersecurity and medical networked devices. We would conclude that a reduction in the uncertainty about the riskiness of the cybersecurity status of medical devices can be achieved using this framework

A Threat Tree for Health Information Security and Privacy

This paper begins a process of organizing knowledge of health information security threats into a comprehensive catalog.We begin by describing our risk management perspective of health information security, and then use this perspective tomotivate the development of a health information threat tree. We describe examples of three threats, breaking each downinto its key risk-related data attributes: threat source and action, the health information asset and its vulnerability, andpotential controls. The construction of such a threat catalog is argued to be useful for risk assessment and to inform publichealth care policy. As no threat catalog is ever complete, guidance for extending the health information security threat tree isgiven

Application of Fault Management Theory to the Quantitative Selection of a Launch Vehicle Abort Trigger Suite

This paper describes the quantitative application of the theory of System Health Management and its operational subset, Fault Management, to the selection of abort triggers for a human-rated launch vehicle, the United States' National Aeronautics and Space Administration's (NASA) Space Launch System (SLS). The results demonstrate the efficacy of the theory to assess the effectiveness of candidate failure detection and response mechanisms to protect humans from time-critical and severe hazards. The quantitative method was successfully used on the SLS to aid selection of its suite of abort triggers

Uncertainty in Engineering

This open access book provides an introduction to uncertainty quantification in engineering. Starting with preliminaries on Bayesian statistics and Monte Carlo methods, followed by material on imprecise probabilities, it then focuses on reliability theory and simulation methods for complex systems. The final two chapters discuss various aspects of aerospace engineering, considering stochastic model updating from an imprecise Bayesian perspective, and uncertainty quantification for aerospace flight modelling. Written by experts in the subject, and based on lectures given at the Second Training School of the European Research and Training Network UTOPIAE (Uncertainty Treatment and Optimization in Aerospace Engineering), which took place at Durham University (United Kingdom) from 2 to 6 July 2018, the book offers an essential resource for students as well as scientists and practitioners

Predicting software faults in large space systems using machine learning techniques

Recently, the use of machine learning (ML) algorithms has proven to be of great practical value in solving a variety of engineering problems including the prediction of failure, fault, and defect-proneness as the space system software becomes complex. One of the most active areas of recent research in ML has been the use of ensemble classifiers. How ML techniques (or classifiers) could be used to predict software faults in space systems, including many aerospace systems is shown, and further use ensemble individual classifiers by having them vote for the most popular class to improve system software fault-proneness prediction. Benchmarking results on four NASA public datasets show the Naive Bayes classifier as more robust software fault prediction while most ensembles with a decision tree classifier as one of its components achieve higher accuracy rates

Automated X-ray image analysis for cargo security: Critical review and future promise

We review the relatively immature field of automated image analysis for X-ray cargo imagery. There is increasing demand for automated analysis methods that can assist in the inspection and selection of containers, due to the ever-growing volumes of traded cargo and the increasing concerns that customs- and security-related threats are being smuggled across borders by organised crime and terrorist networks. We split the field into the classical pipeline of image preprocessing and image understanding. Preprocessing includes: image manipulation; quality improvement; Threat Image Projection (TIP); and material discrimination and segmentation. Image understanding includes: Automated Threat Detection (ATD); and Automated Contents Verification (ACV). We identify several gaps in the literature that need to be addressed and propose ideas for future research. Where the current literature is sparse we borrow from the single-view, multi-view, and CT X-ray baggage domains, which have some characteristics in common with X-ray cargo