An Expertise-driven Authoring Tool of Privacy Policies for e-Health

Data sharing on the Internet is crucial in manyaspects of nowadays life, from economy to leisure, from public administration to healthcare. However, it implies several privacy issues that have to be managed. Definition of appropriate policies helps to safeguard the data privacy. This paper describes an authoring tool for privacy policies to be applied to the healthcare scenario. The tool exhibits two different interfaces, designed according to specific expertise of the policy authors. It is part of a general framework for editing, analysis, and enforcement of privacy policies. Furthermore, this serves as a first brick for a usability study on such tools

Towards Safer Information Sharing in the Cloud

Web interactions usually require the exchange of personal and confidential information for a variety of purposes, including enabling business transactions and the provisioning of services. A key issue affecting these interactions is the lack of trust and control on how data is going to be used and processed by the entities that receive it. In the traditional world, this problem is addressed by using contractual agreements, those are signed by the involved parties, and law enforcement. This could be done electronically as well but, in ad- dition to the trust issue, there is currently a major gap between the definition of legal contracts regulat- ing the sharing of data, and the software infrastructure required to support and enforce them. How to enable organisations to provide more automation in this pro- cess? How to ensure that legal contracts can be actually enforced by the underlying IT infrastructure? How to enable end-users to express their preferences and con- straints within these contracts? This article describes our R&D work to make progress towards addressing this gap via the usage of electronic Data Sharing Agree- ments (e-DSA). The aim is to share our vision, discuss the involved challenges and stimulate further research and development in this space. We specifically focus on a cloud scenario because it provides a rich set of?use cases involving interactions and information shar- ing among multiple stakeholders, including users and service providers.?

SIFT: Building an Internet of safe Things

As the number of connected devices explodes, the use scenarios of these devices and data have multiplied. Many of these scenarios, e.g., home automation, require tools beyond data visualizations, to express user intents and to ensure interactions do not cause undesired effects in the physical world. We present SIFT, a safety-centric programming platform for connected devices in IoT environments. First, to simplify programming, users express high-level intents in declarative IoT apps. The system then decides which sensor data and operations should be combined to satisfy the user requirements. Second, to ensure safety and compliance, the system verifies whether conflicts or policy violations can occur within or between apps. Through an office deployment, user studies, and trace analysis using a large-scale dataset from a commercial IoT app authoring platform, we demonstrate the power of SIFT and highlight how it leads to more robust and reliable IoT apps

The Role of Individual Characteristics on Insider Abuse Intentions

Insiders represent a major threat to the security of an organization’s information resources (Warkentin & Willison, 2009; Stanton et al., 2005). Previous research has explored the role of protection motivation or of deterrence in promoting compliant behavior, but these factors have not been studied together. Furthermore, other individual differences, such as the Big Five personality factors may serve as critical influences on cybersecurity compliance. In this study we use a factorial survey approach to identify key components of secure insider behavior. We obtained 201 observations from a diverse sample of employees. The results of this effort will enable us to develop psychological profiles of individual employees so that we may create personalized cybersecurity training protocols that meet the unique needs of each employee profile, appealing to the proper set of motivations for each. Findings of the present study are presented, and the long-term project goal is discussed

Broadening the Scope of Security Usability from the Individual to the Organizational : Participation and Interaction for Effective, Efficient, and Agile Authorization

Restrictions and permissions in information systems -- Authorization -- can cause problems for those interacting with the systems. Often, the problems materialize as an interference with the primary tasks, for example, when restrictions prevent the efficient completing of work and cause frustration. Conversely, the effectiveness can also be impacted when staff is forced to circumvent the measure to complete work -- typically sharing passwords among each other. This is the perspective of functional staff and the organization. There are further perspectives involved in the administration and development of the authorization measure. For instance, functional staff need to interact with policy makers who decide on the granting of additional permissions, and policy makers, in turn, interact with policy authors who actually implement changes. This thesis analyzes the diverse contexts in which authorization occurs, and systematically examines the problems that surround the different perspectives on authorization in organizational settings. Based on prior research and original research in secure agile development, eight principles to address the authorization problems are identified and explored through practical artifacts

Tiered architecture for remote access to data sources

Teamwork is benefited by the use of shared data sources. Also, ever increasingly, organizational work depends on the activities of team members situated in different physical locations, including both employees who work from their homes and others who have been temporarily transferred to another place. Since, for all these reasons, accessing data remotely is a growing need, organizations implement internal systems in order to control shared data access according to user privileges. In this regard, the cost of resource transportation needed to generate communication must be considered. The main contribution of this paper is the extended reference layered architecture ICDFSCV (Interface Control and Distributed File Systems - Communication Versioning). It allows to build a solution that, facilitates documents download and the creation and concurrent modification by multiple users through versioning control.Facultad de Informátic

Security Policies That Make Sense for Complex Systems: Comprehensible Formalism for the System Consumer

Information Systems today rarely are contained within a single user workstation, server, or networked environment. Data can be transparently accessed from any location, and maintained across various network infrastructures. Cloud computing paradigms commoditize the hardware and software environments and allow an enterprise to lease computing resources by the hour, minute, or number of instances required to complete a processing task. An access control policy mediates access requests between authorized users of an information system and the system\u27s resources. Access control policies are defined at any given level of abstraction, such as the file, directory, system, or network, and can be instantiated in layers of increasing (or decreasing) abstraction. For the system end-user, the functional allocation of security policy to discrete system components, or subsystems, may be too complex for comprehension. In this dissertation, the concept of a metapolicy, or policy that governs execution of subordinate security policies, is introduced. From the user\u27s perspective, the metapolicy provides the rules for system governance that are functionally applied across the system\u27s components for policy enforcement. The metapolicy provides a method to communicate updated higher-level policy information to all components of a system; it minimizes the overhead associated with access control decisions by making access decisions at the highest level possible in the policy hierarchy. Formal definitions of policy often involve mathematical proof, formal logic, or set theoretic notation. Such policy definitions may be beyond the capability of a system user who simply wants to control information sharing. For thousands of years, mankind has used narrative and storytelling as a way to convey knowledge. This dissertation discusses how the concepts of storytelling can be embodied in computational narrative and used as a top-level requirements specification. The definition of metapolicy is further discussed, as is the relationship between the metapolicy and various access control mechanisms. The use of storytelling to derive the metapolicy and its applicability to formal requirements definition is discussed. The author\u27s hypothesis on the use of narrative to explain security policy to the system user is validated through the use of a series of survey instruments. The survey instrument applies either a traditional requirements specification language or a brief narrative to describe a security policy and asks the subject to interpret the statements. The results of this research are promising and reflect a synthesis of the disciplines of neuroscience, security, and formal methods to present a potentially more comprehensible knowledge representation of security policy

Student-Centered Learning: Functional Requirements for Integrated Systems to Optimize Learning

The realities of the 21st-century learner require that schools and educators fundamentally change their practice. "Educators must produce college- and career-ready graduates that reflect the future these students will face. And, they must facilitate learning through means that align with the defining attributes of this generation of learners."Today, we know more than ever about how students learn, acknowledging that the process isn't the same for every student and doesn't remain the same for each individual, depending upon maturation and the content being learned. We know that students want to progress at a pace that allows them to master new concepts and skills, to access a variety of resources, to receive timely feedback on their progress, to demonstrate their knowledge in multiple ways and to get direction, support and feedback from—as well as collaborate with—experts, teachers, tutors and other students.The result is a growing demand for student-centered, transformative digital learning using competency education as an underpinning.iNACOL released this paper to illustrate the technical requirements and functionalities that learning management systems need to shift toward student-centered instructional models. This comprehensive framework will help districts and schools determine what systems to use and integrate as they being their journey toward student-centered learning, as well as how systems integration aligns with their organizational vision, educational goals and strategic plans.Educators can use this report to optimize student learning and promote innovation in their own student-centered learning environments. The report will help school leaders understand the complex technologies needed to optimize personalized learning and how to use data and analytics to improve practices, and can assist technology leaders in re-engineering systems to support the key nuances of student-centered learning

An Analysis of Privacy Policy Research : From the Perspective of Rendition in Surveillance Capitalism Theory

departmental bulletin pape