Fostering open science practice through recognising and rewarding research data management and curation skills

In a bid to improve research integrity, drive innovation, increase knowledge and to maximize public investment, researchers are increasingly under pressure to work in a more open and transparent way. This movement has been referred to as open science. Open science offers a range of potential and measurable benefits – for researchers and the institutions that employ them as well as for society more generally. However, to realise these benefits, we must work towards changing current research practices and behaviours. Researchers will need to acquire new research data management and curation skills that enable them to undertake a broader range of tasks along the entire research lifecycle – from undertaking new means of collaboration, to implementing data management and sharing strategies, to understanding how to amplify and monitor research outputs and to assess their value and impact. In parallel, information professionals who work to support researchers and the open science process will also need to expand their research data management and curation skillsets. It will be equally important that current recognition and reward systems are amended to reflect the application of such skillsets within a range of disciplines. This paper will explore the potential role that librarians can play in supporting and progressing open science and discuss some of the new skills that librarians may require if they are to fulfil this role effectively. Citing examples from the current UK research landscape, this paper will map these skills to the Wellcome Trust and Digital Science’s CRediT Taxonomy which was developed in 2013 to enable the broad range of contributions involved in producing research outputs to be more consistently described and rewarded

Technical Report on Deploying a highly secured OpenStack Cloud Infrastructure using BradStack as a Case Study

Cloud computing has emerged as a popular paradigm and an attractive model for providing a reliable distributed computing model.it is increasing attracting huge attention both in academic research and industrial initiatives. Cloud deployments are paramount for institution and organizations of all scales. The availability of a flexible, free open source cloud platform designed with no propriety software and the ability of its integration with legacy systems and third-party applications are fundamental. Open stack is a free and opensource software released under the terms of Apache license with a fragmented and distributed architecture making it highly flexible. This project was initiated and aimed at designing a secured cloud infrastructure called BradStack, which is built on OpenStack in the Computing Laboratory at the University of Bradford. In this report, we present and discuss the steps required in deploying a secured BradStack Multi-node cloud infrastructure and conducting Penetration testing on OpenStack Services to validate the effectiveness of the security controls on the BradStack platform. This report serves as a practical guideline, focusing on security and practical infrastructure related issues. It also serves as a reference for institutions looking at the possibilities of implementing a secured cloud solution.Comment: 38 pages, 19 figures

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

IEEE 802.11 i Security and Vulnerabilities

Despite using a variety of comprehensive preventive security measures, the Robust Secure Networks (RSNs) remain vulnerable to a number of attacks. Failure of preventive measures to address all RSN vulnerabilities dictates the need for enhancing the performance of Wireless Intrusion Detection Systems (WIDSs) to detect all attacks on RSNs with less false positive and false negative rates

Understanding privacy leakage concerns in Facebook: A longitudinal case study

This thesis was submitted for the degree of Doctor of Philosophy and was awarded by Brunel UniversityThis thesis focuses on examining users’ perceptions of privacy leakage in Facebook – the world’s largest and most popular social network site (SNS). The global popularity of this SNS offers a hugely tempting resource for organisations engaged in online business. The personal data willingly shared between online friends’ networks intuitively appears to be a natural extension of current advertising strategies such as word-of-mouth and viral marketing. Therefore organisations are increasingly adopting innovative ways to exploit the detail-rich personal data of SNS users for business marketing. However, commercial use of such personal information has provoked outrage amongst Facebook users and has radically highlighted the issue of privacy leakage. To date, little is known about how SNS users perceive such leakage of privacy. So a greater understanding of the form and nature of SNS users’ concerns about privacy leakage would contribute to the current literature as well as help to formulate best practice guidelines for organisations. Given the fluid, context-dependent and temporal nature of privacy, a longitudinal case study representing the launch of Facebook’s social Ads programme was conducted to investigate the phenomenon of privacy leakage within its real-life setting. A qualitative user blogs commentary was collected between November 2007 and December 2010 during the two-stage launch of the social Ads programme. Grounded theory data analysis procedures were used to analyse users’ blog postings. The resulting taxonomy shows that business integrity, user control, transparency, data protection breaches, automatic information broadcast and information leak are the core privacy leakage concerns of Facebook users. Privacy leakage concerns suggest three limits, or levels: organisational, user and legal, which provide the basis to understanding the nature and scope of the exploitation of SNS users’ data for commercial purposes. The case study reported herein is novel, as existing empirical research has not identified and analysed privacy leakage concerns of Facebook users

How to systematically classify computer security intrusions

This paper presents a classification of intrusions with respect to the technique as well the result. The taxonomy is intended to be a step on the road to an established taxonomy of intrusions for use in incident reporting, statistics, warning bulletins, intrusion detection systems etc. Unlike previous schemes, it takes the viewpoint of the system owner and should therefore be suitable to a wider community than that of system developers and vendors only. It is based on data from a realistic intrusion experiment, a fact that supports the practical applicability of the scheme. The paper also discusses general aspects of classification, and introduces a concept called dimension. After having made a broad survey of previous work in the field, we decided to base our classification of intrusion techniques on a scheme proposed by Neumann and Parker (1989) and to further refine relevant parts of their scheme. Our classification of intrusion results is derived from the traditional three aspects of computer security: confidentiality, availability and integrit

The development of a structured methodology for the construction and integrity control of spreadsheet models

Numerous studies and reported cases have established the seriousness of the frequency and impact of user-generated spreadsheet errors. This thesis presents a structured methodology for spreadsheet model development, which enables improved integrity control of the models. The proposed methodology has the potential to ensure consistency in the development process and produce more comprehensible, reliable and maintainable models, which can reduce the occurrence of user-generated errors. An insight into the nature and properties of spreadsheet errors is essential for the development of a methodology for controlling the integrity of spreadsheet models. An important by-product of the research is the development of a comprehensive classification or taxonomy of the different types of user-generated spreadsheet errors based on a rational taxonomic scheme. Research on the phenomenon of spreadsheet errors has revealed the need to adopt a software engineering based methodology as a framework for spreadsheet development in practical situations. The proposed methodology represents a new approach to the provision of a structured, software engineering based discipline for the development of spreadsheet models. It is established in this thesis that software engineering principles can in fact be applied to the process of spreadsheet model building to help improve the quality of the models. The methodology uses Jackson structures to produce the logical design of the spreadsheet model. This is followed by a technique to derive the physical model, which is then implemented as a spreadsheet. The methodology’s potential for improving the quality of spreadsheet models is demonstrated. In order to evaluate the effectiveness of the proposed framework, the various features of the proposed structured methodology are tested on a range of spreadsheet models through a series of experiments. The results of the tests provide adequate evidence of the methodology’s potential to reduce the occurrence of user-generated errors and enhance the comprehensibility of the models

Information Security Risk Assessment in the Context of Outsourcing in a Financial Institution

Infoturbe riskihindamine finantsinstitutsioonis on oluline, et mõista ettevõtte varade konfidentsiaalsuse, tervikluse ja käideldavuse riskipositsiooni. Kolmandate osapooltega seotud riskide olulisus on finantsinstitutsioonide jaoks kasvanud. Ettevõtete soov on tagada informatsiooni turvalisus optimeerides samal ajal efektiivselt investeeringuid. Täna on valdavalt kasutusel meetodid, mis tuginevad ekspertide arvamustele ja individuaalsetele hinnangutele, mistõttu kajastavad tulemused vaid limiteeritud vaadet eksisteerivatele riskidele. See on probleem, sest ettevõtted ei soovi teha suure mahulisi investeeringuid turvalisusesse ilma võimalikult täpselt riske hindamata. Käesolevas uurimistöös on käsitletud kahte infoturbe riski hindamise meetodit: ISSRM ja Bayesi võrkudel põhinevat ründepuud. Käsitledes kolmandate osapooltega seotud allhanget kui äriprotsessi, on koostatud süsteemne võrdlus nende meetodite kohta ning hinnatud allhanke korral tekkida võiva riski suurust organisatsioonile. Pakutud on soovitused, kuidas ühendada infoturbe riskijuhtimise metoodika tõenäosusliku riskihindamise metoodikaga. Tulemused on hinnatud valdkonna spetsialistide poolt.Information security risk assessment in a financial institution is important for understanding risk exposure to the confidentiality, integrity, and availability of assets. Third-party security is recognized to have a growing importance for financial sector organizations. A financial institution aims for securing information while justifying budgeting decisions. Unfortunately, commonly used methods are dependent on value judgments and individual assurances which limit their reflection of existing uncertainties in reality. This is a problem because organizations do not want to allocate resources into security without accurately estimating their exposure to risks. The paper introduces two information security risk assessment methods: Information System Security Risk Management method and Bayesian Networks Based Attack Graphs. A systematic comparison of the methods is made in the context of third-party outsourcing. A proposition of how to combine a security risk management method together with a probabilistic risk assessment method has been made. Feedback and validation have been given by experts in the field

e-Government Technical Security Controls Taxonomy for Information Assurance Contractors - A Relational Approach

When project managers consider risks that may affect a project, they rarely consider risks associated with the use of information systems. The Federal Information Security Management Act (FISMA) of 2002 recognizes the importance of information security to the economic and national security of the Unites States. The requirements of FISMA are addressed using the NIST Special Publication 800-53 Rev 3, which has improved the way organizations practice information assurance. The NIST SP 800-53 Rev 3 takes a hierarchical approach to information assurance, which has resulted in the duplication and subsequent withdrawal and merging of fifteen security controls. In addition, the security controls are not associated with the appropriate information systems. The current security assessment model often results in a waste of resources, since controls that are not applicable to an information system have to be addressed. This research developed and tested the value of using an information system breakdown structure (ISBS) model for identification of project information system resources. It also assessed the value of using an e-Government Relational Technical Security Controls Model for mapping the ISBS to the applicable relational technical security controls. A questionnaire containing ninety-five items was developed and emailed to twenty-four information security contractors of which twenty-two efficiently completed questionnaires were received. The questionnaire assessed the value of using the ISBS, and the relationships of the e-Government Relational Technical Security Controls model. Literature review and industry experts opinion was used to triangulate the research results and establish their validity. Cronbach's Alpha coefficient for the four sections of the questionnaire established its reliability. The results of the research indicated that the ISBS model is an invaluable, customizable, living tool that should be used for identification of information system resources on projects. It can also be used for assigning responsibility for the different information systems and for security classification. The study also indicated that using the e-Government Relational Technical Security Controls provides a relational and fully integrated approach to information assurance while reducing the likelihood of duplicating security controls. This study could help project managers identify and mitigate risks associated with the use of information systems on projects

A pattern-based development of secure business processes

Iga andmeturbest huvitatud äriettevõte valib iseendale sobilikud turvameetmed, et vältida ootamatuid sündmusi ja õnnetusi. Nende turvameetmete esmane ülesanne on kaitsta selle äriettevõtte ressursse ja varasid. Äriettevõtetes aset leidvad õnnetused (vähemtähtsad või katastroofilised) on enamikel juhtudel oma olemuselt sarnased ning põhjustatud sarnaste turvariskide poolt. Paljudel andmeturbe spetsialistidel on raskusi leidmaks õiget lahendust konkreetsetele probleemidele, kuna eelmiste samalaadsete probleemide lahendused ei ole korrektselt dokumenteeritud. Selles kontekstis on turvalisuse mustrid (Security Patterns) kasulikud, kuna nad esitavad tõestatud lahendusi spetsiifiliste probleemide jaoks. Käesolevas väitekirjas arendasime välja kümme turvariskidele suunatud mustrit (SRP ehk Security Risk-oriented Patterns) ja defineerisime, kuidas kasutada neid mustreid vastumeetmetena turvariskidele äriprotsesside mudelite sees. Oma olemuselt on need mustrid sõltumatud modelleerimiskeelest. Lihtsustamaks nende rakendamist, on mudelid esitatud graafilises vormingus äriprotsesside modelleerimise keeles (BPMN). Me demonstreerime turvariskidele suunatud mustrite (SRP) kasutatavust kahe tööstusettevõtte ärimudeli näite põhjal. Esitame mustrite rakendamise kohta kvantitatiivsed analüüsid ja näitame, kuidas turvariskidele suunatud mustrid (SRP) aitavad demonstreerida andmeturbe nõrku kohti ärimudelites ning pakume välja lahendusi andmeturvalisusega seotud probleemidele. Selle uurimistöö tulemused võivad julgustada andmeturvalisusega tegelevaid analüütikuid jälgima mustritel-põhinevaid lähenemisi oma äriettevõtete kaitsmiseks, et aidata seeläbi kaasa ka infosüsteemide (Information Systems (IS)) kaitsmisele.Every security concerned enterprise selects its own security measures in order to avoid unexpected events and accidents. The main objective of these security measures is to protect the enterprise’s own resources and assets from damage. Most of the time, the accidents or disasters take place in enterprise are similar in nature, and are caused by similar kind of vulnerabilities. However, many security analysts find it difficult to select the right security measure for a particular problem because the previous proven solutions are not properly documented. In this context Security Patterns could be helpful since they present the proven solutions that potentially could be reused in the similar situations. In this thesis, we develop a set of ten Security Risk-oriented Patterns (SRP) and define the way how they could be used to define security countermeasures within the business process models. In principle, patterns are modelling language-independent. Moreover, to ease their application, we represent them in a graphical form using the Business Process Modelling Notation (BPMN) modelling approach. We demonstrate the usability of the Security Risk-oriented Patterns (SRP) by applying them on two industrial business models. We present the quantitative analysis of their application. We show that Security Risk-oriented Patterns (SRP) help to determine security risks in business models and suggest rationale for security solutions. The results of this research could potentially encourage the security analysts to follow pattern-based approach to develop secure business processes, thus, contributing to secure Information Systems (IS)