Human Factors in Secure Software Development

While security research has made significant progress in the development of theoretically secure methods, software and algorithms, software still comes with many possible exploits, many of those using the human factor. The human factor is often called ``the weakest link'' in software security. To solve this, human factors research in security and privacy focus on the users of technology and consider their security needs. The research then asks how technology can serve users while minimizing risks and empowering them to retain control over their own data. However, these concepts have to be implemented by developers whose security errors may proliferate to all of their software's users. For example, software that stores data in an insecure way, does not secure network traffic correctly, or otherwise fails to adhere to secure programming best practices puts all of the software's users at risk. It is therefore critical that software developers implement security correctly. However, in addition to security rarely being a primary concern while producing software, developers may also not have extensive awareness, knowledge, training or experience in secure development. A lack of focus on usability in libraries, documentation, and tools that they have to use for security-critical components may exacerbate the problem by blowing up the investment of time and effort needed to "get security right". This dissertation's focus is how to support developers throughout the process of implementing software securely. This research aims to understand developers' use of resources, their mindsets as they develop, and how their background impacts code security outcomes. Qualitative, quantitative and mixed methods were employed online and in the laboratory, and large scale datasets were analyzed to conduct this research. This research found that the information sources developers use can contribute to code (in)security: copying and pasting code from online forums leads to achieving functional code quickly compared to using official documentation resources, but may introduce vulnerable code. We also compared the usability of cryptographic APIs, finding that poor usability, unsafe (possibly obsolete) defaults and unhelpful documentation also lead to insecure code. On the flip side, well-thought out documentation and abstraction levels can help improve an API's usability and may contribute to secure API usage. We found that developer experience can contribute to better security outcomes, and that studying students in lieu of professional developers can produce meaningful insights into developers' experiences with secure programming. We found that there is a multitude of online secure development advice, but that these advice sources are incomplete and may be insufficient for developers to retrieve help, which may cause them to choose un-vetted and potentially insecure resources. This dissertation supports that (a) secure development is subject to human factor challenges and (b) security can be improved by addressing these challenges and supporting developers. The work presented in this dissertation has been seminal in establishing human factors in secure development research within the security and privacy community and has advanced the dialogue about the rigorous use of empirical methods in security and privacy research. In these research projects, we repeatedly found that usability issues of security and privacy mechanisms, development practices, and operation routines are what leads to the majority of security and privacy failures that affect millions of end users

Electronic Evidence and Electronic Signatures

In this updated edition of the well-established practitioner text, Stephen Mason and Daniel Seng have brought together a team of experts in the field to provide an exhaustive treatment of electronic evidence and electronic signatures. This fifth edition continues to follow the tradition in English evidence text books by basing the text on the law of England and Wales, with appropriate citations of relevant case law and legislation from other jurisdictions. Stephen Mason (of the Middle Temple, Barrister) is a leading authority on electronic evidence and electronic signatures, having advised global corporations and governments on these topics. He is also the editor of International Electronic Evidence (British Institute of International and Comparative Law 2008), and he founded the innovative international open access journal Digital Evidence and Electronic Signatures Law Review in 2004. Daniel Seng (Associate Professor, National University of Singapore) is the Director of the Centre for Technology, Robotics, AI and the Law (TRAIL). He teaches and researches information technology law and evidence law. Daniel was previously a partner and head of the technology practice at Messrs Rajah & Tann. He is also an active consultant to the World Intellectual Property Organization, where he has researched, delivered papers and published monographs on copyright exceptions for academic institutions, music copyright in the Asia Pacific and the liability of Internet intermediaries

On the adoption of end-user IT security measures

[no abstract

Usable assured deletion in the cloud

The prevalence of cloud and storage-as-a-service has led to users storing and sharing data through such services. However, little is understood about one key element of data management in this new landscape, i.e., data deletion and more critically assured deletion. With regards to deletion, existing research has not explored the deletion needs of users, their preferences and the challenges they face. Nor is there any understanding of the challenges faced by cloud providers should they want to offer assured deletion. Users’ deletion needs and their preferences are diverse and vary depending on the context. However, satisfying these needs may be limited to the properties of the infrastructure - what the infrastructure permits and does not. For instance, the cloud infrastructure has various features that may pose different challenges to meeting the needs of users and providing assured deletion. These features include virtualization, multi-tenancy, high availability and On-demand elasticity. The work presented in this thesis is the first to investigate these issues. Thus, it finds that users’ motivation to delete are: privacy-, policy-, expertise- and storage-driven. They fail to delete because of the poorly designed interfaces, the way they perceive cloud deletion and lack of information about cloud deletion. Users want to have a choice in how their data is deleted, they want to be able to specify the type of deletion. Their deletion preferences are complex and may always change depending on the context of deletion, i.e., individually or socially. Regarding information about deletion, they want important information that may help them to delete or recover from failures to be easily accessible through the interface. They do not want essential information only to be restricted to privacy policies. Using these findings, this thesis provides a conceptual framework for the design of usable assured deletion in the cloud and then formulates user requirements for usable assured deletion. With regards to providers, by analysing the cloud infrastructure, this work provides a systematization of the challenges that providers face while attempting to assure deletion. It also identifies the cloud provider requirements for usable assured deletion. By considering both sets of requirements, i.e., user and provider requirements, this work provides user requirements and principles for usable assured deletion. Overall, the findings of this work formulate a solid grounding for the design and the development of cloud systems that assure deletion in a usable way. More importantly, it helps in the empowerment of users with regards to assured deletion

TTSS'11 - 5th International Workshop on Harnessing Theories for Tool Support in Software

The aim of the workshop is to bring together practitioners and researchers from academia, industry and government to present and discuss ideas about: • How to deal with the complexity of software projects by multi-view modeling and separation of concerns about the design of functionality, interaction, concurrency, scheduling, and nonfunctional requirements, and • How to ensure correctness and dependability of software by integrating formal methods and tools for modeling, design, verification and validation into design and development processes and environments. • Case studies and experience reports about harnessing static analysis tools such as model checking, theorem proving, testing, as well as runtime monitoring

Finnish Enterprise Agile Transformations : A Survey Study

Peer reviewe

Electronic Evidence and Electronic Signatures

In this updated edition of the well-established practitioner text, Stephen Mason and Daniel Seng have brought together a team of experts in the field to provide an exhaustive treatment of electronic evidence and electronic signatures. This fifth edition continues to follow the tradition in English evidence text books by basing the text on the law of England and Wales, with appropriate citations of relevant case law and legislation from other jurisdictions. Stephen Mason (of the Middle Temple, Barrister) is a leading authority on electronic evidence and electronic signatures, having advised global corporations and governments on these topics. He is also the editor of International Electronic Evidence, and he founded the innovative international open access journal Digital Evidence and Electronic Signatures Law Review in 2004. Daniel Seng (Associate Professor, National University of Singapore) is the Director of the Centre for Technology, Robotics, AI and the Law (TRAIL). He teaches and researches information technology law and evidence law. Daniel was previously a partner and head of the technology practice at Messrs Rajah & Tann. He is also an active consultant to the World Intellectual Property Organization, where he has researched, delivered papers and published monographs on copyright exceptions for academic institutions, music copyright in the Asia Pacific and the liability of Internet intermediaries

The Proceedings of the 23rd Annual International Conference on Digital Government Research (DGO2022) Intelligent Technologies, Governments and Citizens June 15-17, 2022

The 23rd Annual International Conference on Digital Government Research theme is “Intelligent Technologies, Governments and Citizens”. Data and computational algorithms make systems smarter, but should result in smarter government and citizens. Intelligence and smartness affect all kinds of public values - such as fairness, inclusion, equity, transparency, privacy, security, trust, etc., and is not well-understood. These technologies provide immense opportunities and should be used in the light of public values. Society and technology co-evolve and we are looking for new ways to balance between them. Specifically, the conference aims to advance research and practice in this field. The keynotes, presentations, posters and workshops show that the conference theme is very well-chosen and more actual than ever. The challenges posed by new technology have underscored the need to grasp the potential. Digital government brings into focus the realization of public values to improve our society at all levels of government. The conference again shows the importance of the digital government society, which brings together scholars in this field. Dg.o 2022 is fully online and enables to connect to scholars and practitioners around the globe and facilitate global conversations and exchanges via the use of digital technologies. This conference is primarily a live conference for full engagement, keynotes, presentations of research papers, workshops, panels and posters and provides engaging exchange throughout the entire duration of the conference

An ontology-based analysis method for assessing and improving the quality of hazard analysis results

Safety-critical systems such as medical devices and avionics systems are developed using systematic processes and rigorous analysis methods. This is necessary to gain strong confidence that the system is not affected by latent design problems that may lead to system failures or unintended behaviours that, ultimately, could result in damage or harm to people or the environment. Whilst different guidelines and recommended best development practices are provided in different regulatory frameworks and standards, all processes share a common initial stage, known as hazard analysis. The aim of the hazard analysis is to identify all known and foreseeable scenarios and problematic situations. It is important that the hazard analysis is as accurate and as comprehensive as possible since the entire development process builds on the hazard analysis results. Any missed scenario or overlooked problematic situation could breach the mitigation strategies designed to guarantee the safety of the system. Several hazard analysis techniques have been introduced over the last 50 years to improve the quality of the analysis. However, a known weakness of the current generation of techniques is that they often rely on manual analysis of information recorded in textual format. For realistic,complex systems, the amount of information is usually abundant and overwhelming. Because ofthis, even the most expert analyst can accidentally overlook important aspects of the system that should have been considered to ensure the safety of the system. The research work presented in this thesis aims to provide a systematic and comprehensive way to help the expert analyst with his task. This thesis explores the development of a novel method and supporting analysis tool for the refinement of the hazard analysis results. The method is structured into a series of stages, each of which provides feedback to the analysts to help them gain confidence in the quality of the analysis. The method also helps to identify and resolve weaknesses in the analysis, if they are present. The research builds an ontology to represent knowledge collected during the hazard analysis. Inference rules are used to reason about possible scenarios, hazards, hazard causes and their relations. Formal (i.e., mathematically-based) tools are used to mechanise the exploration of scenarios, discover relations between hazards and causes that may have been overlooked during the analysis. The effectiveness of the proposed method is evaluated using various realistic case studies from different application domai

Digital smartphone intervention to recognise and manage early warning signs in schizophrenia to prevent relapse : the EMPOWER feasibility cluster RCT

Funding Information: Funding: This project was funded by the National Institute for Health and Care Research (NIHR) Health Technology Assessment programme and will be published in full in Health Technology Assessment; Vol. 26, No. 27. See the NIHR Journals Library website for further project information. Funding in Australia was provided by the National Health and Medical Research Council (APP1095879). Funding Information: The research reported in this issue of the journal was funded by the HTA programme as project number 13/154/04. The contractual start date was in April 2016. The draft report began editorial review in September 2019 and was accepted for publication in March 2020. The authors have been wholly responsible for all data collection, analysis and interpretation, and for writing up their work. The HTA editors and publisher have tried to ensure the accuracy of the authors’ report and would like to thank the reviewers for their constructive comments on the draft document. However, they do not accept liability for damages or losses arising from material published in this report. Funding Information: Declared competing interests of authors: Andrew I Gumley reports personal fees from the University of Manchester, the University of Exeter and the British Association for Behavioural & Cognitive Psychotherapies (BABCP) (Accrington, UK), and other interests with NHS Education for Scotland outside the submitted work. John Ainsworth reports other interests with Affigo CIC (Manchester, UK) outside the submitted work. Sandra Bucci is a director of Affigo CIC, a not-for-profit social enterprise company spun out of the University of Manchester in December 2015 to enable access to social enterprise funding and to promote ClinTouch, a symptom-monitoring app, to the NHS and public sector. Andrew Briggs reports personal fees from Bayer (Leverkusen, Germany), Merck Sharp & Dohme (Kenilworth, NJ, USA), Janssen Pharmaceutica (Beerse, Belgium), Novartis (Basel, Switzerland), SWORD Health (Porto, Portugal), Amgen Inc. (Thousand Oaks, CA, USA) and Daiichi Sankyo (Tokyo, Japan) outside the submitted work. John Farhall reports grants from the National Health and Medical Research Council (Australia) during the conduct of the study and other interests with Melbourne Health (NorthWestern Mental Health, Parkville, VIC, Australia) outside the submitted work. Shôn Lewis reports grants from the Medical Research Council, non-financial support from Affigo CIC and personal fees from XenZone plc (Manchester, UK) outside the submitted work. Cathy Mihalopoulos reports grants from National Health and Medical Research Council (Australia) during the conduct of the study. John Norrie reports grants from the University of Aberdeen and the University of Edinburgh during the conduct of the study and declares membership of the following NIHR boards: CPR Decision Making Committee (2016), HTA Commissioning Board (2010–16), HTA Commissioning Sub-Board (EOI) (2012–16), HTA Funding Boards Policy Group (2016), HTA General Board (2016–19), HTA Post-Board funding teleconference (2016–19), NIHR CTU Standing Advisory Committee (2017–present), NIHR HTA and EME Editorial Board (2014–19) and Pre-exposure Prophylaxis Impact Review Panel (2017–present). Paul French is a member of the HTA Mental Health Prioritisation Panel (2017–present). Chris Williams reports grants from NIHR during the conduct of the study (HTA 10/104/34 BEAT-IT: a randomised controlled trial comparing a behavioural activation treatment for depression in adults with learning disabilities with attention control; NIHR multicentre RCT of a group psychological intervention for postnatal depression in British mothers of South Asian Origin: RP-PG-0514-20012: Integrated therapist and online CBT for depression in primary care); other from Five Areas Ltd (Clydebank, UK) outside the submitted work; and that he has twice been president of the British Association for Behavioural & Cognitive Psychotherapies, the lead body for cognitive–bahavioural therapy in the UK. This body aims to advocate use of evidence-based delivery of cognitive–bahavioural therapy. Publisher Copyright: © Queen’s Printer and Controller of HMSO 2022.Peer reviewedPublisher PD