Hybrid VFT/Delphi Method to Facilitate the Development of Information Security Strategies in Developing Countries

As systems become more interconnected the vulnerability to cyber attack also increases. The increased use of information and communication technology (ICT) in developing countries and the dangers associated with interconnectivity grows equally. The lack of an established guideline for information security planning and execution in developing countries further complicates this problem. There is the need for a holistic approach to information security planning. This study will use a combination of the Value Focused Thinking methodology and the measured Delphi Method to develop a framework that can assist decision makers and stakeholders in developing countries to craft and execute their information security strategies

Using Content Analysis for Privacy Requirement Extraction and Policy Formalization

Abstract: Privacy in cyberspace is a major concern nowadays and enterprises are required to comply with existing privacy regulations and ensure a certain level of privacy for societal and user acceptance. Privacy is also a multidisciplinary and mercury concept, which makes it challenging to define clear privacy requirements and policies to facilitate compliance check and enforcement at the technical level. This paper investigates the potential of using knowledge engineering approaches to transform legal documents to actionable business process models through the extraction of privacy requirements and formalization of privacy policies. The paper features two contributions: A literature review of existing privacy engineering approaches shows that semi-automatic support for extracting and modeling privacy policies from textual documents is often missing. A case study applying content analysis to five guideline documents on implementing privacy-preserving video surveillance systems yields promising first results towards a methodology on semi-automatic extraction and formalization of privacy policies using knowledge engineering approaches

Legal Compatibility as a Characteristic of Sociotechnical Systems

Legal compatibility as a characteristic of sociotechnical systems aims at the greatest possible compliance with higher-order legal goals for minimizing social risks of technical systems and extends legality, which refers to the prevention of lawlessness. The paper analyzes the criteria for legal compatibility by reviewing specifications of legally compatible systems and shows goals and resulting requirements to foster legal compatibility. These comprise the following areas: avoiding personal reference in data, ensuring information security, enabling freedom of decision, increasing transparency, ensuring traceability, and increasing usability, whereby traceability and the avoidance of personal reference pursue conflicting goals. The presentation of the goals including their dependencies, relationships, and conflicts in form of standardized requirements explains legal compatibility and summarizes the requirements necessary for the development of legally compatible Systems

Automating Software Customization via Crowdsourcing using Association Rule Mining and Markov Decision Processes

As systems grow in size and complexity so do their configuration possibilities. Users of modern systems are easy to be confused and overwhelmed by the amount of choices they need to make in order to fit their systems to their exact needs. In this thesis, we propose a technique to select what information to elicit from the user so that the system can recommend the maximum number of personalized configuration items. Our method is based on constructing configuration elicitation dialogs through utilizing crowd wisdom. A set of configuration preferences in form of association rules is first mined from a crowd configuration data set. Possible configuration elicitation dialogs are then modeled through a Markov Decision Processes (MDPs). Within the model, association rules are used to automatically infer configuration decisions based on knowledge already elicited earlier in the dialog. This way, an MDP solver can search for elicitation strategies which maximize the expected amount of automated decisions, reducing thereby elicitation effort and increasing user confidence of the result. We conclude by reporting results of a case study in which this method is applied to the privacy configuration of Facebook

Decision support for choice of security solution: the Aspect-Oriented Risk Driven Development (AORDD)framework

In security assessment and management there is no single correct solution to the identified security problems or challenges. Instead there are only choices and tradeoffs. The main reason for this is that modern information systems and security critical information systems in particular must perform at the contracted or expected security level, make effective use of available resources and meet end-users' expectations. Balancing these needs while also fulfilling development, project and financial perspectives, such as budget and TTM constraints, mean that decision makers have to evaluate alternative security solutions.\ud \ud This work describes parts of an approach that supports decision makers in choosing one or a set of security solutions among alternatives. The approach is called the Aspect-Oriented Risk Driven Development (AORDD) framework, combines Aspect-Oriented Modeling (AOM) and Risk Driven Development (RDD) techniques and consists of the seven components: (1) An iterative AORDD process. (2) Security solution aspect repository. (3) Estimation repository to store experience from estimation of security risks and security solution variables involved in security solution decisions. (4) RDD annotation rules for security risk and security solution variable estimation. (5) The AORDD security solution trade-off analysis and trade-o¤ tool BBN topology. (6) Rule set for how to transfer RDD information from the annotated UML diagrams into the trad-off tool BBN topology. (7) Trust-based information aggregation schema to aggregate disparate information in the trade-o¤ tool BBN topology. This work focuses on components 5 and 7, which are the two core components in the AORDD framework

Consumer Preferences for Privacy Management Systems

This work presents insights into consumer preferences regarding Privacy Management Systems in the context of the General Data Protection Regulation (GDPR). The authors perform a Choice-Based Conjoint experiment with consumers (n = 589) to elicit preferences over four attributes and compute usage likelihoods for all product configurations. Results show that data sharing for marketing purposes and discounts are the most important attributes for consumers. Furthermore, consumers prefer digital access to privacy-related information, detailed rights management for data sharing and no data sharing for marketing purposes. Moreover, a cluster analysis reveals differing importance weights across clusters. The study concludes that incorporating consumer preferences into the design and development process of Privacy Management Systems could increase their use and effectiveness, ultimately strengthening consumers’ privacy rights and companies’ legal compliance. The authors suggest researching legal, business, and consumer requirements more holistically to converge these perspectives to improve Privacy Management Systems adoptions