Delivering organisational adaptation through legislative mechanisms: Evidence from the Adaptation Reporting Power (Climate Change Act 2008)

There is increasing recognition that organisations, particularly in key infrastructure sectors, are potentially vulnerable to climate change and extreme weather events, and require organisational responses to ensure they are resilient and adaptive. However, detailed evidence of how adaptation is facilitated, implemented and reported, particularly through legislative mechanisms is lacking. The United Kingdom Climate Change Act (2008), introduced the Adaptation Reporting Power, enabling the Government to direct so-called reporting authorities to report their climate change risks and adaptation plans. We describe the authors' unique role and experience supporting the Department for Environment, Food and Rural Affairs (Defra) during the Adaptation Reporting Power's first round. An evaluation framework, used to review the adaptation reports, is presented alongside evidence on how the process provides new insights into adaptation activities and triggered organisational change in 78% of reporting authorities, including the embedding of climate risk and adaptation issues. The role of legislative mechanisms and risk-based approaches in driving and delivering adaptation is discussed alongside future research needs, including the development of organisational maturity models to determine resilient and well adapting organisations. The Adaptation Reporting Power process provides a basis for similar initiatives in other countries, although a clear engagement strategy to ensure buy-in to the process and research on its long-term legacy, including the potential merits of voluntary approaches, is required

HiTrust: building cross-organizational trust relationship based on a hybrid negotiation tree

Small-world phenomena have been observed in existing peer-to-peer (P2P) networks which has proved useful in the design of P2P file-sharing systems. Most studies of constructing small world behaviours on P2P are based on the concept of clustering peer nodes into groups, communities, or clusters. However, managing additional multilayer topology increases maintenance overhead, especially in highly dynamic environments. In this paper, we present Social-like P2P systems (Social-P2Ps) for object discovery by self-managing P2P topology with human tactics in social networks. In Social-P2Ps, queries are routed intelligently even with limited cached knowledge and node connections. Unlike community-based P2P file-sharing systems, we do not intend to create and maintain peer groups or communities consciously. In contrast, each node connects to other peer nodes with the same interests spontaneously by the result of daily searches

Enabling the Autonomic Management of Federated Identity Providers

The autonomic management of federated authorization infrastructures (federations) is seen as a means for improving the monitoring and use of a service provider’s resources. However, federations are comprised of independent management domains with varying scopes of control and data ownership. The focus of this paper is on the autonomic management of federated identity providers by service providers located in other domains, when the identity providers have been diagnosed as the source of abuse. In particular, we describe how an autonomic controller, external to the domain of the identity provider, exercises control over the issuing of privilege attributes. The paper presents a conceptual design and implementation of an effector for an identity provider that is capable of enabling cross-domain autonomic management. The implementation of an effector for a SimpleSAMLphp identity provider is evaluated by demonstrating how an autonomic controller, together with the effector, is capable of responding to malicious abuse

Secure data sharing and processing in heterogeneous clouds

The extensive cloud adoption among the European Public Sector Players empowered them to own and operate a range of cloud infrastructures. These deployments vary both in the size and capabilities, as well as in the range of employed technologies and processes. The public sector, however, lacks the necessary technology to enable effective, interoperable and secure integration of a multitude of its computing clouds and services. In this work we focus on the federation of private clouds and the approaches that enable secure data sharing and processing among the collaborating infrastructures and services of public entities. We investigate the aspects of access control, data and security policy languages, as well as cryptographic approaches that enable fine-grained security and data processing in semi-trusted environments. We identify the main challenges and frame the future work that serve as an enabler of interoperability among heterogeneous infrastructures and services. Our goal is to enable both security and legal conformance as well as to facilitate transparency, privacy and effectivity of private cloud federations for the public sector needs. © 2015 The Authors

Frictionless Authentication Systems: Emerging Trends, Research Challenges and Opportunities

Authentication and authorization are critical security layers to protect a wide range of online systems, services and content. However, the increased prevalence of wearable and mobile devices, the expectations of a frictionless experience and the diverse user environments will challenge the way users are authenticated. Consumers demand secure and privacy-aware access from any device, whenever and wherever they are, without any obstacles. This paper reviews emerging trends and challenges with frictionless authentication systems and identifies opportunities for further research related to the enrollment of users, the usability of authentication schemes, as well as security and privacy trade-offs of mobile and wearable continuous authentication systems.Comment: published at the 11th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2017

Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting

Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak specific private information in the training data to an attacker, either through the models' structure or their observable behavior. However, the underlying cause of this privacy risk is not well understood beyond a handful of anecdotal accounts that suggest overfitting and influence might play a role. This paper examines the effect that overfitting and influence have on the ability of an attacker to learn information about the training data from machine learning models, either through training set membership inference or attribute inference attacks. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We find that overfitting is sufficient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its influence, attribute inference attacks. Interestingly, our formal analysis also shows that overfitting is not necessary for these attacks and begins to shed light on what other factors may be in play. Finally, we explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks

Clinical governance, education and learning to manage health information

Purpose – This paper aims to suggest that the concept of clinical governance goes beyond a bureaucratic accountability structure and can be viewed as a negotiated balance between imperfectly aligned and sometimes conflicting goals within a complex adaptive system. On this view, the information system cannot be separated conceptually from the system of governance it supports or the people whose work it facilitates or hinders. Design/methodology/approach – The study, located within the English National Health Service (NHS) between 1999 and 2005, is case study based using a multi method approach to data collection within two primary care organisations (PCOs). The research strategy is conducted within a social constructionist ontological perspective. Findings – The findings reflect the following broad-based themes: mutual adjustment of a plurality of stakeholder perceptions, preferences and priorities; the development of information and communication systems, empowered by informatics; an emphasis on education and training to build capacity and capability. Research limitations/implications – Limitations of case study methodology include a tendency to provide selected accounts. These are potentially biased and risk trivialising findings. Rooted in specific context, their generalisability to other contexts is limited by the extent to which contexts are similar. Reasonable attempts were made to minimise any bias. The diversity of data collection methods used in the study was an attempt to counterbalance the limitations highlighted in one method by strength from alternative techniques. Practical implications – The paper makes recommendations in two key governance areas: education and learning to manage health information. In practice, the lessons learned provide opportunities to inform future approaches to health informatics educational programmes. Originality/value – With regard to topicality, it is suggested that many of the developmental issues highlighted during the establishment of quality improvement programmes within primary care organisations (PCGs/PCTs) are relevant in the light of current NHS reforms and move towards commissioning consortia