Broadening the Scope of Security Usability from the Individual to the Organizational : Participation and Interaction for Effective, Efficient, and Agile Authorization

Restrictions and permissions in information systems -- Authorization -- can cause problems for those interacting with the systems. Often, the problems materialize as an interference with the primary tasks, for example, when restrictions prevent the efficient completing of work and cause frustration. Conversely, the effectiveness can also be impacted when staff is forced to circumvent the measure to complete work -- typically sharing passwords among each other. This is the perspective of functional staff and the organization. There are further perspectives involved in the administration and development of the authorization measure. For instance, functional staff need to interact with policy makers who decide on the granting of additional permissions, and policy makers, in turn, interact with policy authors who actually implement changes. This thesis analyzes the diverse contexts in which authorization occurs, and systematically examines the problems that surround the different perspectives on authorization in organizational settings. Based on prior research and original research in secure agile development, eight principles to address the authorization problems are identified and explored through practical artifacts

On the Statistics of Trustworthiness Prediction

Trust and trustworthiness facilitate interactions between human beings worldwide, every day. They enable the formation of friendships, making of profits and the adoption of new technologies, making life not only more pleasant, but furthering the societal development. Trust, for lack of a better word, is good. When human beings trust, they rely on the trusted party to be trustworthy, that is, literally worthy of the trust that is being placed in them. If it turns out that the trusted party is unworthy of the trust placed into it, the truster has misplaced its trust, has unwarrantedly relied and is liable to experience possibly unpleasant consequences. Human social evolution has equipped us with tools for determining another’s trustworthiness through experience, cues and observations with which we aim to minimise the risk of misplacing our trust. Social adaptation, however, is a slow process and the cues that are helpful in real, physical environments where we can observe and hear our interlocutors are less helpful in interactions that are conducted over data networks with other humans or computers, or even between two computers. This presents a challenge in a world where the virtual and the physical intermesh increasingly. A challenge that computational trust models seek to address by applying computational evidence-based methods to estimate trustworthiness. In this thesis, the state-of-the-art in evidence-based trust models is extended and improved upon – in particular with regard to their statistical modelling. The statistics behind (Bayesian) trustworthiness estimation will receive special attention, their extension bringing about improvements in trustworthiness estimation that encompass the fol- lowing aspects: (i.) statistically well-founded estimators for binomial and multinomial models of trust that can accurately estimate the trustworthiness of another party and those that can express the inher- ent uncertainty of the trustworthiness estimate in a statistically meaningful way, (ii.) better integration of recommendations by third parties using advanced methods for determining the reliability of the received recommendations, (iii.) improved responsiveness to changes in the behaviour of trusted parties, and (iv.) increasing the generalisability of trust-relevant information over a set of trusted parties. Novel estimators, methods for combining recommendations and other trust- relevant information, change detectors, as well as a mapping for integrating stereotype-based trustworthiness estimates, are bundled in an improved Bayesian trust model, Multinomial CertainTrust. Specific scientific contributions are structured into three distinct categories: 1. A Model for Trustworthiness Estimation: The statistics of trustworthiness estimation are investigated to design fully multinomial trustworthiness estimation model. Leveraging the assumptions behind the Bayesian estimation of binomial and multinomial proportions, accurate trustworthiness and certainty estimators are presented, and the integration of subjectivity via informed and non-informed Bayesian priors is discussed. 2. Methods for Trustworthiness Information Processing: Methods for facilitating trust propagation and accounting for concept drift in the behaviour of the trusted parties are introduced. All methods are applicable, by design, to both the binomial case and the multinomial case of trustworthiness estimation. 3. Further extension for trustworthiness estimation: Two methods for addressing the potential lack of direct experiences with new trustee in feedback-based trust models are presented. For one, the dedicated modelling of particular roles and the trust delegation between them is shown to be principally possible as an extension to existing feedback- based trust models. For another, a more general approach for feature-based generalisation using model-free, supervised machine-learners, is introduced. The general properties of the trustworthiness and certainty estimators are derived formally from the basic assumptions underlying binomial and multinomial estimation problems, harnessing fundamentals of Bayesian statistics. Desired properties for the introduced certainty estimators, first postulated by Wang & Singh, are shown to hold through formal argument. The general soundness and applicability of the proposed certainty estimators is founded on the statistical properties of interval estimation techniques discussed in the related statistics work and formally and rigorously shown there. The core estimation system and additional methods, in their entirety constituting the Multinomial CertainTrust model, are implemented in R, along with competing methods from the related work, specifically for determining recommender trustworthiness and coping with changing behaviour through ageing. The performance of the novel methods introduced in this thesis was tested against established methods from the related work in simulations. Methods for hardcoding indicators of trustworthiness were implemented within a multi-agent framework and shown to be functional in an agent-based simulation. Furthermore, supervised machine-learners were tested for their applicability by collecting a real-world data set of reputation data from a hotel booking site and evaluating their capabilities against this data set. The hotel data set exhibits properties, such as a high imbalance in the ratings, that appears typical of data that is generated from reputation systems, as these are also present in other data sets

The grammar of money: an analytical account of money as a discursive institution in light of the practice of complementary currencies

Since the global financial crisis in 2008, complementary currencies - from local initiatives like the Brixton Pound to timebanks, business-to-business currencies and, of course, Bitcoin - have received unprecedented attention by academics, policy makers, the media and the general public. However, at close theoretic inspection money itself remains as elusive a phenomenon as water must be to fish. Economic and business disciplines commonly only describe the use and functionality of money rather than its nature. Sociology and philosophy have a more fundamental set of approaches, but remain largely unintegrated in financial policy and common perception. At the same time, new forms of currency challenge predominant definitions of money and their implementation in the law and financial regulation. Unless our understanding of money and currencies is questioned and extended to consistently reflect theory and practice, its current misalignment threatens to impede much needed reform and innovation of the financial systems towards equity, democratic participation and sustainability. After reviewing current monetary theories and their epistemological underpinning, this thesis proposes a new theoretic framework of money as a ‘discursive institution’ that can be applied coherently to all monetary phenomena, conventional and unconventional. It also allows for the empirical analysis of currencies with the methodologies of neo-institutionalism, practice theory and critical discourse analysis. This will here be demonstrated in a transdisciplinary triangulation concerning three sets of data from the diverse field of complementary currencies, the publications of the Bank of England and monetary laws from the United States. The findings do not only demonstrate the heuristic value of the theory of discursive institutionalism in regard to money and complementary currencies, but highlight how regulatory and legal definitions even of conventional money lack the coherence and clarity required to appropriately explicate monetary innovation. Accordingly, this study concludes with recommendations for monetary theory, policy and research that can address the current inconsistencies