Introducing realist ontology for the representation of adverse events

The goal of the REMINE project is to build a high performance prediction, detection and monitoring platform for managing Risks against Patient Safety (RAPS). Part of the work involves developing in ontology enabling computer-assisted RAPS decision support on the basis of the disease history of a patient as documented in a hospital information system. A requirement of the ontology is to contain a representation for what is commonly referred to by the term 'adverse event', one challenge being that distinct authoritative sources define this term in different and context-dependent ways. The presence of some common ground in all definitions is, however, obvious. Using the analytical principles underlying Basic Formal Ontology and Referent Tracking, both developed in the tradition of philosophical realism, we propose a formal representation of this common ground which combines a reference ontology consisting exclusively of representations of universals and an application ontology which consists representations of defined classes. We argue that what in most cases is referred to by means of the term 'adverse event' - when used generically - is a defined class rather than a universal. In favour of the conception of adverse events as forming a defined class are the arguments that (1) there is no definition for 'adverse event' that carves out a collection of particulars which constitutes the extension of a universal, and (2) the majority of definitions require adverse events to be (variably) the result of some observation, assessment or (absence of) expectation, thereby giving these entities a nominal or epistemological flavour

Diversity, Safety and Security in Embedded Systems: modelling adversary effort and supply chain risks

We present quantitative considerations for the design of redundancy and diversity in embedded systems with security requirements. The potential for malicious activity against these systems have complicated requirements and design choices. New design trade-offs have arisen besides those already familiar in this area: for instance, adding redundancy may increase the attack surface of a system and thus increase overall risk. Our case study concerns protecting redundant communications between a control system and its controlled physical system. We study the effects of using: (i) different encryption keys on replicated channels, and (ii) diverse encryption schemes and implementations. We consider two attack scenarios, with adversaries having access to (i) ways of reducing the search space in attacks using random searches for keys; or (ii) hidden major flaws in some crypto algorithm or implementation. Trade-offs between the requirements of integrity and confidentiality are found, but not in all cases. Simple models give useful design insights. In this system, we find that key diversity improves integrity without impairing confidentiality – no trade-offs arise between the two – and it can substantially increase adversary effort, but it will not remedy substantial weaknesses of the crypto system. Implementation diversity does involve design trade-offs between integrity and confidentiality, which we analyse, but turns out to be generally desirable for highly critical applications of the control system considered

Using Assurance Cases and Boolean Logic Driven Markov Processes to Formalise Cyber Security Concerns for Safety-Critical Interaction with Global Navigation Satellite Systems

Satellite-based location and timing systems support a wide range of mass market applications, typically using the GPS infrastructure. Until recently, these applications could not be used within safety-critical interfaces. Limits to the accuracy, availability, integrity and continuity of the space-based signals prevented regulatory agencies from certifying their use. Over the last three months, however, the latest generation of augmented Global Navigation Satellite Systems (GNSS) have been approved for use in safety-related applications. They use a range of techniques to overcome the limitations of previous infrastructures. This means that they can be used as primary navigation tools in a wide range of interactive systems, including aircraft cockpits, railway signalling tools etc. Unfortunately, a range of organisations including the UK Ministry of Defence, have raised concerns about our increasing vulnerability to attacks on these satellite based architectures. These threats are compounded by the difficulty of representing and reasoning about the impact of jamming, spoofing and insider threats for the end-users of safety-critical systems. A sudden loss of navigational support can undermine users confidence in complex applications and pose a significant threat to distributed situation awareness. We show how formal reasoning techniques can be used to identify the safety and security concerns that jeopardise interaction with future generations of Global Navigation Satellite Systems applications

Assessing Asymmetric Fault-Tolerant Software

The most popular forms of fault tolerance against design faults use "asymmetric" architectures in which a "primary" part performs the computation and a "secondary" part is in charge of detecting errors and performing some kind of error processing and recovery. In contrast, the most studied forms of software fault tolerance are "symmetric" ones, e.g. N-version programming. The latter are often controversial, the former are not. We discuss how to assess the dependability gains achieved by these methods. Substantial difficulties have been shown to exist for symmetric schemes, but we show that the same difficulties affect asymmetric schemes. Indeed, the latter present somewhat subtler problems. In both cases, to predict the dependability of the fault-tolerant system it is not enough to know the dependability of the individual components. We extend to asymmetric architectures the style of probabilistic modeling that has been useful for describing the dependability of "symmetric" architectures, to highlight factors that complicate the assessment. In the light of these models, we finally discuss fault injection approaches to estimating coverage factors. We highlight the limits of what can be predicted and some useful research directions towards clarifying and extending the range of situations in which estimates of coverage of fault tolerance mechanisms can be trusted

Critique of Architectures for Long-Term Digital Preservation

Evolving technology and fading human memory threaten the long-term intelligibility of many kinds of documents. Furthermore, some records are susceptible to improper alterations that make them untrustworthy. Trusted Digital Repositories (TDRs) and Trustworthy Digital Objects (TDOs) seem to be the only broadly applicable digital preservation methodologies proposed. We argue that the TDR approach has shortfalls as a method for long-term digital preservation of sensitive information. Comparison of TDR and TDO methodologies suggests differentiating near-term preservation measures from what is needed for the long term. TDO methodology addresses these needs, providing for making digital documents durably intelligible. It uses EDP standards for a few file formats and XML structures for text documents. For other information formats, intelligibility is assured by using a virtual computer. To protect sensitive information—content whose inappropriate alteration might mislead its readers, the integrity and authenticity of each TDO is made testable by embedded public-key cryptographic message digests and signatures. Key authenticity is protected recursively in a social hierarchy. The proper focus for long-term preservation technology is signed packages that each combine a record collection with its metadata and that also bind context—Trustworthy Digital Objects.

A normal paranoia? The emergence of distrust between parents of autistic children and public officials

This paper explores the development of distrust and paranoia among parents and carers of autistic children in their interactions with public officials charged with such children’s diagnosis, education and care. The suspicion and distrust framework of Fein and Hilton (1994), and Kramer’s typology of organisational paranoia (1998, 2001) are used to show how distrust impacts on client experiences. Antecedents of distrust are identified, and the ‘normalcy’ of paranoia in this context is demonstrated. These findings should permit public sector staff dealing with parents and carers of autistic children to address such perceptions and build trust where little seems to exist