Security Analysis of System Behaviour - From "Security by Design" to "Security at Runtime" -

The Internet today provides the environment for novel applications and processes which may evolve way beyond pre-planned scope and purpose. Security analysis is growing in complexity with the increase in functionality, connectivity, and dynamics of current electronic business processes. Technical processes within critical infrastructures also have to cope with these developments. To tackle the complexity of the security analysis, the application of models is becoming standard practice. However, model-based support for security analysis is not only needed in pre-operational phases but also during process execution, in order to provide situational security awareness at runtime. This cumulative thesis provides three major contributions to modelling methodology. Firstly, this thesis provides an approach for model-based analysis and verification of security and safety properties in order to support fault prevention and fault removal in system design or redesign. Furthermore, some construction principles for the design of well-behaved scalable systems are given. The second topic is the analysis of the exposition of vulnerabilities in the software components of networked systems to exploitation by internal or external threats. This kind of fault forecasting allows the security assessment of alternative system configurations and security policies. Validation and deployment of security policies that minimise the attack surface can now improve fault tolerance and mitigate the impact of successful attacks. Thirdly, the approach is extended to runtime applicability. An observing system monitors an event stream from the observed system with the aim to detect faults - deviations from the specified behaviour or security compliance violations - at runtime. Furthermore, knowledge about the expected behaviour given by an operational model is used to predict faults in the near future. Building on this, a holistic security management strategy is proposed. The architecture of the observing system is described and the applicability of model-based security analysis at runtime is demonstrated utilising processes from several industrial scenarios. The results of this cumulative thesis are provided by 19 selected peer-reviewed papers

Automated software systems generation for process-oriented organizations

Tese de doutoramento do Programa Doutoral em Tecnologias e Sistemas de InformaçãoCada vez mais, as organizações suportam as suas operações em sistemas de software. Torna-se, portanto, muito relevante o correto mapeamento das operações nos sistemas de software. Esta tese foca-se em organizações orientadas a processos de negócio, devido à relevância dada pelas normas de qualidade, pelos modelos de excelência, e pelos requisitos dos clientes, a esse tipo de estruturação interna das organizações. Nas organizações orientadas a processos de negócio existem diversos fatores, como o tempo envolvido nos projetos de implementação de processos de negócio em software, as diferenças existentes entre os modelos de processos de negócio e a sua implementação real, ou a quantidade e o tipo de recursos envolvidos nesses projetos, que fazem com que os projetos de desenvolvimento de software sejam demasiado dispendiosos, demorem demasiado tempo, e não garantam que o produto de software resultante seja o mais adequado à realidade da organização que o vai usar. Esta tese propõe que os sistemas de informação e de software devam ser desenvolvidos, desde o início, incorporando os modelos das organizações onde irão ser usados. Além disso, e como existem disponíveis modelos de referência de processos de negócio, esta tese também propõe o seu uso explícito aquando da recolha de requisitos. Assim, o objetivo principal da tese é propor uma metodologia que se inicie com modelos de processos de negócio e que termine com a geração de sistemas de software, para organizações orientadas a processos de negócio. A metodologia denomina-se BIM e é formalizada através do metamodelo EPF. Dada a abrangência dos temas a tratar, a tese foi conduzida tendo em atenção que o processo de desenvolvimento de software para suportar organizações orientadas a processos pode ser otimizado. Para melhor mostrar os diversos passos e resultados intermédios, usamos a metodologia de investigação Action Research. A tese propõe que as atividades de investigação sejam terminadas quando uma dada condição de paragem seja atingida, e para isso usa uma avaliação baseada num conjunto de indicadores para os resultados do produto e do processo, e uma adaptação do modelo de excelência EFQM para a forma como foi executado o processo de desenvolvimento. O foco das Action são os sistemas de software MES, essenciais na ligação entre sistemas de software embebido e sistemas ERP. Nesta tese, as Action iniciam-se com modelos de processos e com arquiteturas de software standard, e terminam com uma proposta de modelo de processo e com arquiteturas de software e tecnologias adaptadas à execução de processos de negócio. A tese propõe também alguns conceitos como IAvO (extensão de modelos de processos de negócio), OBO (componentes de software intermutáveis e não-proprietários), OA (aspetos organizacionais), e PF (framework de processos) para aumentarem a eficiência e eficácia na implementação em software de processos de negócio.Increasingly, organizations support their operations by using software systems, turning very relevant the proper mapping of operations into software systems. This thesis focuses on organizations oriented to business processes, due to the importance that quality norms, excellence models, and customer requirements put on this type of internal structures of organizations. Process-oriented organizations have characteristics, such as the time needed to implement business processes in software, the differences between the business process models and the real business processes, or the quantity and type of the required resources, that lead to development projects too expensive, taking too long to complete, and that do not assure that the resulting product is the most adequate to the reality of the client organization. This thesis proposes that the development of information and software system embodies, since the early stages, the models of the organization where they operate. In addition, and since business process reference models are available, the thesis also proposes to use explicitly such reference models by requirements collection time. Thus, the main goal of the thesis is to propose a methodology that picks business process reference models and ends with software systems, for process-oriented organizations. The methodology is denominated BIM and is formalized by using the EPF metamodel. Due to the wide scope of the studied areas, the thesis is tailored considering that the development process for processoriented organizations can be optimized. To express better the intermediate steps and results, we use the Action Research methodology. The thesis proposes that the research activities terminate when a stopping condition is met, based on a set of indicators for the product, and a tailoring of the EFQM model for the development process. The Actions are focused on MES, crucial for the linking of embedded software systems with ERP systems. In this thesis, the Actions start by using standard process models and software architectures, and end by using a proposed process model, and software architectures and technologies adapted to the execution of business software. The thesis also proposes new concepts like IAvO (extension to business process reference models), OBO (interchangeable and nonproprietary software components), AO (organizational aspects), and PF (process framework) to increase the efficiency and the effectiveness of the implementation of business processes in software

Modeling Narrative Discourse

This thesis describes new approaches to the formal modeling of narrative discourse. Although narratives of all kinds are ubiquitous in daily life, contemporary text processing techniques typically do not leverage the aspects that separate narrative from expository discourse. We describe two approaches to the problem. The first approach considers the conversational networks to be found in literary fiction as a key aspect of discourse coherence; by isolating and analyzing these networks, we are able to comment on longstanding literary theories. The second approach proposes a new set of discourse relations that are specific to narrative. By focusing on certain key aspects, such as agentive characters, goals, plans, beliefs, and time, these relations represent a theory-of-mind interpretation of a text. We show that these discourse relations are expressive, formal, robust, and through the use of a software system, amenable to corpus collection projects through the use of trained annotators. We have procured and released a collection of over 100 encodings, covering a set of fables as well as longer texts including literary fiction and epic poetry. We are able to inferentially find similarities and analogies between encoded stories based on the proposed relations, and an evaluation of this technique shows that human raters prefer such a measure of similarity to a more traditional one based on the semantic distances between story propositions

The perception of value creation by relationship managers in corporate banking: insights into relationship banking

This study explores the value creation in relationship banking from the relationship managers' perspective. A grounded theory approach (Strauss and Corbin, 1998) is adopted that theory is derived from data, systematically gathered and analyzed throughout the research process. This study derives concepts and categories from primary data and identifies relationships among these theoretical elements. This study provides a comprehensive picture of relationship banking as a social phenomenon, and supplies some theoretical and managerial implications. Moreover, this study links the literature relevant to relationship banking from different disciplines. This is a new way of looking at the relationship banking phenomenon and relevant literature in an integrated manner. This study conducted research to investigate why the case banks establish long-term relationships with corporate customers? The case banks considered macro conditions including the advances in technology, financial deregulation, and business globalisation when they adopted relationship banking. The interviewees perceived that relationship banking was efficient for managing risk, effective for saving cost and necessary for cross-selling. Some intervening conditions including customer information and knowledge, customer needs and customer confidence also influence the development of relationship banking. This study investigated how the case banks establish and maintain these relationships and how they organise and motivate relationship managers? The case banks built a relationship orientated corporate culture, organised employees around customer relationships and employed customervalue based performance measurement and incentive-based reward system. The employees cooperated inside the organisation and communicated with their customers regularly, exchanged information and provided relationship transactions. This study also investigated how the case banks and corporate customers get benefits from relationship banking? The interviewees perceived that the corporate customers gained benefits including fund availability, product availability, service quality, in-time heir, and business platform. The case banks gained benefits including reduction of credit risk, increase in income, sustainable profit, customer satisfaction, employee satisfaction. The findings were integrated and linked to some banking, finance, organisation and marketing literature related to relationship banking phenomenon. The case banks increased internal service quality through employee relationship management and improved employee satisfaction. The interviewees perceived that the corporate customers received benefits in the corporate banking market by customer relationship management. The increased customer satisfaction resulted in customer retention and profit to the case banks. The case banks perceived that added shareholder wealth improved shareholder satisfaction. This study concluded that the case banks, which had more relationship banking competitive advantages and better relationship banking, related processing systems were expected to outperform the competing banks

Virginia Commonwealth University Graduate and Professional Programs Bulletin Courses

Listing of professional and graduate courses for 2010-2011

Virginia Commonwealth University Graduate and Professional Programs Bulletin Courses

Listing of professional and graduate courses for 2009-2010

Virginia Commonwealth University Graduate and Professional Programs Bulletin Courses

Listing of professional and graduate courses for 2008-200