Ethics in Security Vulnerability Research

Debate has arisen in the scholarly community, as well as among policymakers and business entities, regarding the role of vulnerability researchers and security practitioners as sentinels of information security adequacy. The exact definition of vulnerability research and who counts as a "vulnerability researcher" is a subject of debate in the academic and business communities. For purposes of this article, we presume that vulnerability researchers are driven by a desire to prevent information security harms and engage in responsible disclosure upon discovery of a security vulnerability. Yet provided that these researchers and practitioners do not themselves engage in conduct that causes harm, their conduct doesn't necessarily run afoul of ethical and legal considerations. We advocate crafting a code of conduct for vulnerability researchers and practitioners, including the implementation of procedural safeguards to ensure minimization of harm

When Programs Collide: A Panel Report on the Competing Interests of Analytics and Security

The increasing demand for business analytics and cybersecurity professionals provides an exciting job outlook for graduates of information systems programs. However, the rapid proliferation of devices and systems that spurred this trend has created a challenging ethical dilemma for the individuals responsible for educating future generations of information technology professionals. Many firms collect and store as much data as possible in the hope that technology might uncover useful insights in the future. This behavior results in an ever-increasing challenge for those charged with protecting organizational assets and exerts pressure on executives seeking an analytical edge to remain profitable in a hyper-competitive marketplace. With this dilemma in mind, a recent panel discussion at the 14th Annual Midwest Association for Information Systems Conference explored the delicate balance between unleashing the power of analytics and securing the sensitive data it consumes while respecting consumer privacy. This paper reports on that discussion and its insights

On the Complexity of Health Data Protection-in-Practice: Insights from a Longitudinal Qualitative Study

Digitalization of healthcare presents opportunities for improving the quality of healthcare services and promises economic benefits. However, the success of digital health and the benefits cannot be actualized without considering health data protection practices in the process of healthcare service delivery. Despite the criticality of protecting health data in the system use lifecycle (from recording to consuming and taking informed actions), there is a paucity of research to investigate this complex phenomenon. Using longitudinal qualitative data on a state-wide digital health transformation project, we contextually theorize the practices for protecting health data. Our study reveals five types of health data protectionin-practice, namely data minimization, informal encoding, accuracy, improving cyber-awareness, and appropriate access management. Our results provide new insights into information system use (especially, effective use), and highlight practices that can improve health data protection

SMEs' Confidentiality Concerns for Security Information Sharing

Small and medium-sized enterprises are considered an essential part of the EU economy, however, highly vulnerable to cyberattacks. SMEs have specific characteristics which separate them from large companies and influence their adoption of good cybersecurity practices. To mitigate the SMEs' cybersecurity adoption issues and raise their awareness of cyber threats, we have designed a self-paced security assessment and capability improvement method, CYSEC. CYSEC is a security awareness and training method that utilises self-reporting questionnaires to collect companies' information about cybersecurity awareness, practices, and vulnerabilities to generate automated recommendations for counselling. However, confidentiality concerns about cybersecurity information have an impact on companies' willingness to share their information. Security information sharing decreases the risk of incidents and increases users' self-efficacy in security awareness programs. This paper presents the results of semi-structured interviews with seven chief information security officers of SMEs to evaluate the impact of online consent communication on motivation for information sharing. The results were analysed in respect of the Self Determination Theory. The findings demonstrate that online consent with multiple options for indicating a suitable level of agreement improved motivation for information sharing. This allows many SMEs to participate in security information sharing activities and supports security experts to have a better overview of common vulnerabilities. The final publication is available at Springer via https://doi.org/10.1007/978-3-030-57404-8_22Comment: 10 pages, 2 figures, 14th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2020

Language model AI and international commercial arbitration

This thesis dives deep into the world of a specific type of artificial intelligence (AI), Large Language Models (LLMs), and how they might impact international business disputes, or more specifically, international commercial arbitration. In an age where rapid advancement in technology is quickly reshaping our world, the legal field isn't immune to this transformation. Among the game-changers, language model AI could, due to its promising capacity of data-processing and outcome prediction, potentially make international arbitration quicker and less expensive, thereby providing easier access to justice for the commercial sector across the globe. However, it's not all smooth sailing. The study also identifies legal limitations regarding the use of LLMs in arbitration - issues related to bias, maintaining fair processes, keeping data private, and determining who is accountable when AI is involved. Overcoming these obstacles is crucial before AI can be confidently incorporated into arbitration. While LLMs hold exciting potential for international commercial arbitration, careful implementation is important. We need comprehensive rules and guidelines to ensure language model AI operates effectively and ethically in this arena. The use of AI should be a considered decision, keeping in mind the potential hurdles and working towards mitigating them.This thesis dives deep into the world of a specific type of artificial intelligence (AI), Large Language Models (LLMs), and how they might impact international business disputes, or more specifically, international commercial arbitration. In an age where rapid advancement in technology is quickly reshaping our world, the legal field isn't immune to this transformation. Among the game-changers, language model AI could, due to its promising capacity of data-processing and outcome prediction, potentially make international arbitration quicker and less expensive, thereby providing easier access to justice for the commercial sector across the globe. However, it's not all smooth sailing. The study also identifies legal limitations regarding the use of LLMs in arbitration - issues related to bias, maintaining fair processes, keeping data private, and determining who is accountable when AI is involved. Overcoming these obstacles is crucial before AI can be confidently incorporated into arbitration. While LLMs hold exciting potential for international commercial arbitration, careful implementation is important. We need comprehensive rules and guidelines to ensure language model AI operates effectively and ethically in this arena. The use of AI should be a considered decision, keeping in mind the potential hurdles and working towards mitigating them

Bioterrorism and the Food Drug Administration: H.R. 3448, Related Legislation, and the FDA’s Expanding Role in Preventing and Responding to Biological Attack

This paper examines the potential impact of recent and proposed bioterrorism legislation on the U.S. Food and Drug Administration (FDA). It concludes that at least one such piece of legislation, H.R. 3448, the “Public Health Security and Bioterrorism Response Act of 2001,†would significantly impact the authority and activities of FDA, as well as affecting FDA-regulated entities and other stakeholders. The paper includes recommendations for further FDA action, noting that as the federal agency responsible for the safety and efficacy of food, drugs, medical devices, vaccines, and other biological and non-biological products across the nation, FDA holds a unique and critical position in bioterrorism prevention and response

The Development of a Red Teaming Service-Learning Course

Despite advancements in pedagogy and technology, students often yearn for more applied opportunities in information security education. Further, small businesses are likely to have inadequate information security postures due to limited budgets and expertise. To address both issues, an advanced course in ethical hacking was developed which allows students to perform security assessments for local businesses through red team engagements. This paper will allow academics to implement similar courses, improving security education for students and increasing opportunities for local businesses to receive affordable security assessments