Software security requirements management as an emerging cloud computing service

© 2016 Elsevier Ltd. All rights reserved.Emerging cloud applications are growing rapidly and the need for identifying and managing service requirements is also highly important and critical at present. Software Engineering and Information Systems has established techniques, methods and technology over two decades to help achieve cloud service requirements, design, development, and testing. However, due to the lack of understanding of software security vulnerabilities that should have been identified and managed during the requirements engineering phase, we have not been so successful in applying software engineering, information management, and requirements management principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security cannot just be added after a system has been built and delivered to customers as seen in today's software applications. This paper provides concise methods, techniques, and best practice requirements engineering and management as an emerging cloud service (SSREMaaES) and also provides guidelines on software security as a service. This paper also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators. This paper illustrates our approach for a large cloud system Amazon EC2 service

UNDERSTANDING USER PERCEPTIONS AND PREFERENCES FOR MASS-MARKET INFORMATION SYSTEMS – LEVERAGING MARKET RESEARCH TECHNIQUES AND EXAMPLES IN PRIVACY-AWARE DESIGN

With cloud and mobile computing, a new category of software products emerges as mass-market information systems (IS) that addresses distributed and heterogeneous end-users. Understanding user requirements and the factors that drive user adoption are crucial for successful design of such systems. IS research has suggested several theories and models to explain user adoption and intentions to use, among them the IS Success Model and the Technology Acceptance Model (TAM). Although these approaches contribute to theoretical understanding of the adoption and use of IS in mass-markets, they are criticized for not being able to drive actionable insights on IS design as they consider the IT artifact as a black-box (i.e., they do not sufficiently address the system internal characteristics). We argue that IS needs to embrace market research techniques to understand and empirically assess user preferences and perceptions in order to integrate the "voice of the customer" in a mass-market scenario. More specifically, conjoint analysis (CA), from market research, can add user preference measurements for designing high-utility IS. CA has gained popularity in IS research, however little guidance is provided for its application in the domain. We aim at supporting the design of mass-market IS by establishing a reliable understanding of consumer’s preferences for multiple factors combing functional, non-functional and economic aspects. The results include a “Framework for Conjoint Analysis Studies in IS” and methodological guidance for applying CA. We apply our findings to the privacy-aware design of mass-market IS and evaluate their implications on user adoption. We contribute to both academia and practice. For academia, we contribute to a more nuanced conceptualization of the IT artifact (i.e., system) through a feature-oriented lens and a preference-based approach. We provide methodological guidelines that support researchers in studying user perceptions and preferences for design variations and extending that to adoption. Moreover, the empirical studies for privacy- aware design contribute to a better understanding of the domain specific applications of CA for IS design and evaluation with a nuanced assessment of user preferences for privacy-preserving features. For practice, we propose guidelines for integrating the voice of the customer for successful IS design. -- Les technologies cloud et mobiles ont fait émerger une nouvelle catégorie de produits informatiques qui s’adressent à des utilisateurs hétérogènes par le biais de systèmes d'information (SI) distribués. Les termes “SI de masse” sont employés pour désigner ces nouveaux systèmes. Une conception réussie de ceux-ci passe par une phase essentielle de compréhension des besoins et des facteurs d'adoption des utilisateurs. Pour ce faire, la recherche en SI suggère plusieurs théories et modèles tels que le “IS Success Model” et le “Technology Acceptance Model”. Bien que ces approches contribuent à la compréhension théorique de l'adoption et de l'utilisation des SI de masse, elles sont critiquées pour ne pas être en mesure de fournir des informations exploitables sur la conception de SI car elles considèrent l'artefact informatique comme une boîte noire. En d’autres termes, ces approches ne traitent pas suffisamment des caractéristiques internes du système. Nous soutenons que la recherche en SI doit adopter des techniques d'étude de marché afin de mieux intégrer les exigences du client (“Voice of Customer”) dans un scénario de marché de masse. Plus précisément, l'analyse conjointe (AC), issue de la recherche sur les consommateurs, peut contribuer au développement de système SI à forte valeur d'usage. Si l’AC a gagné en popularité au sein de la recherche en SI, des recommandations quant à son utilisation dans ce domaine restent rares. Nous entendons soutenir la conception de SI de masse en facilitant une identification fiable des préférences des consommateurs sur de multiples facteurs combinant des aspects fonctionnels, non-fonctionnels et économiques. Les résultats comprennent un “Cadre de référence pour les études d'analyse conjointe en SI” et des recommandations méthodologiques pour l'application de l’AC. Nous avons utilisé ces contributions pour concevoir un SI de masse particulièrement sensible au respect de la vie privée des utilisateurs et nous avons évalué l’impact de nos recherches sur l'adoption de ce système par ses utilisateurs. Ainsi, notre travail contribue tant à la théorie qu’à la pratique des SI. Pour le monde universitaire, nous contribuons en proposant une conceptualisation plus nuancée de l'artefact informatique (c'est-à-dire du système) à travers le prisme des fonctionnalités et par une approche basée sur les préférences utilisateurs. Par ailleurs, les chercheurs peuvent également s'appuyer sur nos directives méthodologiques pour étudier les perceptions et les préférences des utilisateurs pour différentes variations de conception et étendre cela à l'adoption. De plus, nos études empiriques sur la conception d’un SI de masse sensible au respect de la vie privée des utilisateurs contribuent à une meilleure compréhension de l’application des techniques CA dans ce domaine spécifique. Nos études incluent notamment une évaluation nuancée des préférences des utilisateurs sur des fonctionnalités de protection de la vie privée. Pour les praticiens, nous proposons des lignes directrices qui permettent d’intégrer les exigences des clients afin de concevoir un SI réussi

The Role of Gamification in Privacy Protection and User Engagement

The interaction between users and several technologies has rapidly increased. In people’s daily habits, the use of several applications for different reasons has been introduced. The provision of attractive services is an important aspect that it should be considered during their design. The implementation of gamification supports this, while game elements create a more entertaining and appealing environment. At the same time, due to the collection and record of users’ information within them, security and privacy are needed to be considered as well, in order for these technologies to ensure a minimum level of security and protection of users’ information. Users, on the other hand, should be aware of their security and privacy, so as to recognize how they can be protected, while using gamified services. In this work, the relation between privacy and gamified applications, regarding both the software developers and the users, is discussed, leading to the necessity not only of designing privacy-friendly systems but also of educating users through gamification on privacy issues

Evaluating a Reference Architecture for Privacy Level Agreement\u27s Management

With the enforcement of the General Data Protection Regulation and the compliance to specific privacyand security-related principles, the adoption of Privacy by Design and Security by Design principles can be considered as a legal obligation for all organisations keeping EU citizens’ personal data. A formal way to support Data Controllers towards their compliance to the new regulation could be a Privacy Level Agreement (PLA), a mutual agreement of the privacy settings between a Data Controller and a Data Subject, that supports privacy management, by analysing privacy threats, vulnerabilities and Information Systems’ trust relationships. However, the concept of PLA has only been proposed on a theoretical level. In this paper, we propose a novel reference architecture to enable PLA management in practice, and we report on the application and evaluation of PLA management within the context of real-life case studies from two different domains, the public administration and the healthcare, where sensitive data is kept. The results are rather positive, indicating that the adoption of such an agreement promotes the transparency of an organisation while enhances data subjects’ trust

FIN-DM: finantsteenuste andmekaeve protsessi mudel

Andmekaeve hõlmab reeglite kogumit, protsesse ja algoritme, mis võimaldavad ettevõtetel iga päev kogutud andmetest rakendatavaid teadmisi ammutades suurendada tulusid, vähendada kulusid, optimeerida tooteid ja kliendisuhteid ning saavutada teisi eesmärke. Andmekaeves ja -analüütikas on vaja hästi määratletud metoodikat ja protsesse. Saadaval on mitu andmekaeve ja -analüütika standardset protsessimudelit. Kõige märkimisväärsem ja laialdaselt kasutusele võetud standardmudel on CRISP-DM. Tegu on tegevusalast sõltumatu protsessimudeliga, mida kohandatakse sageli sektorite erinõuetega. CRISP-DMi tegevusalast lähtuvaid kohandusi on pakutud mitmes valdkonnas, kaasa arvatud meditsiini-, haridus-, tööstus-, tarkvaraarendus- ja logistikavaldkonnas. Seni pole aga mudelit kohandatud finantsteenuste sektoris, millel on omad valdkonnapõhised erinõuded. Doktoritöös käsitletakse seda lünka finantsteenuste sektoripõhise andmekaeveprotsessi (FIN-DM) kavandamise, arendamise ja hindamise kaudu. Samuti uuritakse, kuidas kasutatakse andmekaeve standardprotsesse eri tegevussektorites ja finantsteenustes. Uurimise käigus tuvastati mitu tavapärase raamistiku kohandamise stsenaariumit. Lisaks ilmnes, et need meetodid ei keskendu piisavalt sellele, kuidas muuta andmekaevemudelid tarkvaratoodeteks, mida saab integreerida organisatsioonide IT-arhitektuuri ja äriprotsessi. Peamised finantsteenuste valdkonnas tuvastatud kohandamisstsenaariumid olid seotud andmekaeve tehnoloogiakesksete (skaleeritavus), ärikesksete (tegutsemisvõime) ja inimkesksete (diskrimineeriva mõju leevendus) aspektidega. Seejärel korraldati tegelikus finantsteenuste organisatsioonis juhtumiuuring, mis paljastas 18 tajutavat puudujääki CRISP- DMi protsessis. Uuringu andmete ja tulemuste abil esitatakse doktoritöös finantsvaldkonnale kohandatud CRISP-DM nimega FIN-DM ehk finantssektori andmekaeve protsess (Financial Industry Process for Data Mining). FIN-DM laiendab CRISP-DMi nii, et see toetab privaatsust säilitavat andmekaevet, ohjab tehisintellekti eetilisi ohte, täidab riskijuhtimisnõudeid ja hõlmab kvaliteedi tagamist kui osa andmekaeve elutsüklisData mining is a set of rules, processes, and algorithms that allow companies to increase revenues, reduce costs, optimize products and customer relationships, and achieve other business goals, by extracting actionable insights from the data they collect on a day-to-day basis. Data mining and analytics projects require well-defined methodology and processes. Several standard process models for conducting data mining and analytics projects are available. Among them, the most notable and widely adopted standard model is CRISP-DM. It is industry-agnostic and often is adapted to meet sector-specific requirements. Industry- specific adaptations of CRISP-DM have been proposed across several domains, including healthcare, education, industrial and software engineering, logistics, etc. However, until now, there is no existing adaptation of CRISP-DM for the financial services industry, which has its own set of domain-specific requirements. This PhD Thesis addresses this gap by designing, developing, and evaluating a sector-specific data mining process for financial services (FIN-DM). The PhD thesis investigates how standard data mining processes are used across various industry sectors and in financial services. The examination identified number of adaptations scenarios of traditional frameworks. It also suggested that these approaches do not pay sufficient attention to turning data mining models into software products integrated into the organizations' IT architectures and business processes. In the financial services domain, the main discovered adaptation scenarios concerned technology-centric aspects (scalability), business-centric aspects (actionability), and human-centric aspects (mitigating discriminatory effects) of data mining. Next, an examination by means of a case study in the actual financial services organization revealed 18 perceived gaps in the CRISP-DM process. Using the data and results from these studies, the PhD thesis outlines an adaptation of CRISP-DM for the financial sector, named the Financial Industry Process for Data Mining (FIN-DM). FIN-DM extends CRISP-DM to support privacy-compliant data mining, to tackle AI ethics risks, to fulfill risk management requirements, and to embed quality assurance as part of the data mining life-cyclehttps://www.ester.ee/record=b547227

A proposal for the management of data driven services in smart manufacturing scenarios

205 p.This research work focuses on Industrial Big Data Services (IBDS) Providers, a specialization of ITServices Providers. IBDS Providers constitute a fundamental agent in Smart Manufacturing scenarios,given the wide spectrum of complex technological challenges involved in the adoption of the requireddata-related IT by manufacturers aiming at shifting their businesses towards Smart Manufacturing. Theoverarching goal of this research work is to provide contributions that (a) help the business sector ofIBDS Providers to manage their collaboration projects with manufacturing partners in order to deploy therequired data-driven services in Smart Manufacturing scenarios, and (b) adapt and extend existingconceptual, methodological, and technological proposals in order to include those practical elements thatfacilitate their use in business contexts. The main contributions of this dissertation focus on three specificchallenges related to the early stages of the data lifecycle, i.e. those stages that ensure the availability ofnew data to exploit, coming from monitored manufacturing facilities: (1) Devising a more efficient datastorage strategy that reduces the costs of the cloud infrastructure required by an IBDS Provider tocentralize and accumulate the massive-scale amounts of data from the supervised manufacturingfacilities; (2) Designing the required architecture for the data capturing and integration infrastructure thatsustains an IBDS Provider's platform; (3) The collaborative design process with partnering manufacturersof the required data-driven services for a specific manufacturing sector