Oblivious Inspection: On the Confrontation between System Security and Data Privacy at Domain Boundaries

In this work, we introduce the system boundary security vs. privacy dilemma, where border devices (e.g., firewall devices) require unencrypted data inspection to prevent data exfiltration or unauthorized data accesses, but unencrypted data inspection violates data privacy. To shortcut this problem, we present Oblivious Inspection, a novel approach based on garbled circuits to perform a stateful application-aware inspection of encrypted network traffic in a privacy-preserving way. We also showcase an inspection algorithm for Fast Healthcare Interoperability Resources (FHIR) standard compliant packets along with its performance results. The results point out the importance of the inspection function being aligned with the underlying garbled circuit protocol. In this line, mandatory encryption algorithms for TLS 1.3 have been analysed observing that packets encrypted using Chacha20 can be filtered up to 17 and 25 times faster compared with AES128-GCM and AES256-GCM, respectively. All together, this approach penalizes performance to align system security and data privacy, but it could be appropriate for those scenarios where this performance degradation can be justified by the sensibility of the involved data such as healthcare scenarios

Business as usual through contact tracing app: What influences intention to download?

A contact tracing app can positively support the requirement of social and physical distancing during a pandemic. However, there are aspects of the user’s intention to download the app that remain under-researched. To address this, we investigate the role of perceived privacy risks, social empowerment, perceived information transparency and control, and attitudes towards government, in influencing the intention to download the contact tracing app. Using fuzzy set qualitative comparative analysis (fsQCA), we found eight different configurations of asymmetrical relationships of conditions that lead to the presence or absence of an intention to download. In our study, social empowerment significantly influences the presence of an intention to download. We also found that perceived information transparency significantly influences the absence of an intention to download the app

Informacijos saugos valdymo karkasas smulkiam ir vidutiniam verslui

Information security is one of the concerns any organization or person faces. The list of new threats appears, and information security management mechanisms have to be established and continuously updated to be able to fight against possible security issues. To be up to date with existing information technology threats and prevention, protection, maintenance possibilities, more significant organizations establish positions or even departments, to be responsible for the information security management. However, small and medium enterprise (SME) does not have enough capacities. Therefore, the information security management situation in SMEs is fragmented and needs improvement. In this thesis, the problem of information security management in the small and medium enterprise is analyzed. It aims to simplify the information security management process in the small and medium enterprise by proposing concentrated information and tools in information security management framework. Existence of an information security framework could motivate SME to use it in practice and lead to an increase of SME security level. The dissertation consists of an introduction, four main chapters and general conclusions. The first chapter introduces the problem of information security management and its’ automation. Moreover, state-of-the-art frameworks for information security management in SME are analyzed and compared. The second chapter proposes a novel information security management framework and guidelines on its adoption. The framework is designed based on existing methodologies and frameworks. A need for a model for security evaluation based on the organization’s management structure noticed in chapter two; therefore, new probability theory-based model for organizations information flow security level estimation presented in chapter three. The fourth chapter presents the validation of proposed security evaluation models by showing results of a case study and experts ranking of the same situations. The multi-criteria analysis was executed to evaluate the ISMF suitability to be applied in a small and medium enterprise. In this chapter, we also analyze the opinion of information technology employees in an SME on newly proposed information security management framework as well as a new model for information security level estimation. The thesis is summarized by the general conclusions which confirm the need of newly proposed framework and associated tools as well as its suitability to be used in SME to increase the understanding of current information security threat situation.Dissertatio

Classification And Analysis Of Mobile Health Evaluation Through Taxonomy and Method Development

This manuscript documents the creation and evaluation of a taxonomy for mobile health (m-health) evaluation and a method for m-health evaluation. M-health as a field within IS has seen significant amounts of growth in recent years due to improvements in technology leading to more affordable and portable computing power. The application of these technologies to the healthcare domain has created many new opportunities and benefits for patients and providers alike. This research seeks to study how these m-health projects are being evaluated and to determine what the characteristics of these evaluations are. To accomplish this goal, the research process is conducted as design science and the research outputs of taxonomy and method are presented as design science artifacts. The two artifacts are evaluated during their creation and once more afterwards to determine their utility. The taxonomy is created by collecting and analyzing documentation on m-health evaluation and using that information to generate descriptive categories by following a series of guidelines for creating a classification system. After evaluation of the artifact, a method is created for conducting m-health evaluation. This method is a series of guidelines built upon constructs and relationships derived from the taxonomy. Evaluation of the artifacts consists of expert surveys, cluster analysis, and attribute analysis. After evaluation of both artifacts, a descriptive theory explaining the selection of m-health evaluation types is created and presented. Theory development is based on the idea of kernel theories and their transferability to the information systems (IS) and design science domains. Contributions of this research are as follows: a classification system for m-health evaluation, a series of guidelines for individuals working on evaluations in the field of m-health, and a descriptive theory on the selection of evaluation type in an m-health context

Empirical Studies on Secure Development and Usage of Mobile Health Applications

Mobile technologies, comprising portable devices, context-sensitive software applications, and wireless networking protocols, are being increasingly adopted to exploit services offered for pervasive computing platforms. The utilisation of mobile health (mHealth) apps in the healthcare domain has become a promising tool to improve and support delivering health services in a pervasive manner. mHealth apps enable health professionals and providers to monitor their patients remotely (e.g., managing patients with chronic diseases). mHealth apps enable expanding healthcare coverage (e.g., reaching places where little or no healthcare is available). Furthermore, mHealth apps were used to reduce the spread of disease and infection (e.g., the Covid-19 tracking apps). The use of mHealth apps will enhance the quality of healthcare, reduce the cost, and more convenient for patients. The security of mHealth apps becomes a significant concern due to the privacy and integrity of health-critical data. The interest of attackers in healthcritical data (medical records, clinical reports, disease symptoms, etc.) has increased due to its value in the ‘black market’ as well as the social, legal, and financial consequences of compromised data. This thesis focuses on understanding the security of mHealth apps based on (a) developers' and (b) end-users perspectives by conducting a set of empirical studies. To empirically investigate the existing research, a systematic literature review (SLR) was conducted to gain a deeper understanding of the security challenges, which hinder the development of secure mHealth apps. Based on the findings of the SLR, first, we conducted a survey-based study - involving 97 mHealth apps developers from 25 countries and six continents to investigate the practitioners’ perspectives on security challenges, practices, and motivational factors that help developers to ensure the security of mHealth apps. Second, we conducted survey research - involving 101 endusers from two Saudi Arabian health providers to examine their security awareness about using clinical mHealth apps. We complement the end-users research by conducting an attack simulation study - involving 105 end-users from 14 countries and five continents to investigate their security behaviours when using mHealth apps. The empirical studies in this thesis contribute to (i) providing developers' perspectives on critical challenges, best practices, and motivating factors that support the engineering and development of emerging and next-generation secure mHealth apps; (ii) providing empirical evidence and a set of guidelines to facilitate researchers, practitioners, and stakeholders to develop and adopt secure mHealth apps for clinical practices and public health; (iii) providing empirical evidence using action-driven measurement on human security behaviour when using mHealth apps, and presented the potential mechanisms that lead end-users to make improper security decisions.Thesis (Ph.D.) -- University of Adelaide, School of Computer Science, 202