Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Genomic sequencing capacity, data retention, and personal access to raw data in Europe

Whole genome/exome sequencing (WGS/WES) has become widely adopted in research and, more recently, in clinical settings. Many hope that the information obtained from the interpretation of these data will have medical benefits for patients and—in some cases—also their biological relatives. Because of the manifold possibilities to reuse genomic data, enabling sequenced individuals to access their own raw (uninterpreted) genomic data is a highly debated issue. This paper reports some of the first empirical findings on personal genome access policies and practices. We interviewed 39 respondents, working at 33 institutions in 21 countries across Europe. These sequencing institutions generate massive amounts of WGS/WES data and represent varying organisational structures and operational models. Taken together, in total, these institutions have sequenced ∼317,259 genomes and exomes to date. Most of the sequencing institutions reported that they are able to store raw genomic data in compliance with various national regulations, although there was a lack of standardisation of storage formats. Interviewees from 12 of the 33 institutions included in our study reported that they had received requests for personal access to raw genomic data from sequenced individuals. In the absence of policies on how to process such requests, these were decided on an ad hoc basis; in the end, at least 28 requests were granted, while there were no reports of requests being rejected. Given the rights, interests, and liabilities at stake, it is essential that sequencing institutions adopt clear policies and processes for raw genomic data retention and personal access

Ethical Reflections of Human Brain Research and Smart Information Systems

open access journalThis case study explores ethical issues that relate to the use of Smart Infor-mation Systems (SIS) in human brain research. The case study is based on the Human Brain Project (HBP), which is a European Union funded project. The project uses SIS to build a research infrastructure aimed at the advancement of neuroscience, medicine and computing. The case study was conducted to assess how the HBP recognises and deal with ethical concerns relating to the use of SIS in human brain research. To under-stand some of the ethical implications of using SIS in human brain research, data was collected through a document review and three semi-structured interviews with partic-ipants from the HBP. Results from the case study indicate that the main ethical concerns with the use of SIS in human brain research include privacy and confidentiality, the security of personal data, discrimination that arises from bias and access to the SIS and their outcomes. Furthermore, there is an issue with the transparency of the processes that are involved in human brain research. In response to these issues, the HBP has put in place different mechanisms to ensure responsible research and innovation through a dedicated pro-gram. The paper provides lessons for the responsible implementation of SIS in research, including human brain research and extends some of the mechanisms that could be employed by researchers and developers of SIS for research in addressing such issues

Governance of data for children’s learning in UK state schools

When I first introduced the Age Appropriate Design Code (AADC) into the Data Protection Bill in 2018, I had no idea that it may not apply to education settings. Now, a few years on, there is still some confusion. What happens if schools are working remotely: does the AADC suddenly apply? Or if a teacher uses an app or service in the classroom that they downloaded directly from the internet: does the AADC no longer apply? Why is there a difference between state and private schools, when surely all pupils need their data protected? Why is the burden disproportionately put on teachers and schools to understand the complex data processing terms set out in the terms and conditions of services that are hungry for data? And, perhaps most crucially of all, why are schools sharing intimate pupil data (wittingly and not) with commercial companies at all? This report, authored by Emma Day, starts the work of unravelling some of these questions, and in doing so identifies gaps in provision, gaps in clarity, gaps in understanding. As such, it is the first step to working out what good might look like when the education sector and schools are brought into an effective data protection regime

D:A4.1 Socio-economic impact assessment

The executive summary ends with six concise recommendations for facilitating more accountability for data management in cloud ecosystems: 1. Provide a stronger legal base for and enforcement of data protection and accountable behavior; 2. Facilitate independent auditing of responsible data stewardship; 3. Increase public awareness of the need for accountability; 4. Balance existing information asymmetries via partnerships; 5. Focus on larger enterprises working in the public sector first, as these can serve as an example for other types of businesses; 6. Demonstrate how A4Cloud tools and mechanisms can be turned into a business model in order to encourage greater uptake and use

Ethical decision making in a mixed methodological study investigating emotional intelligence and perceived stress amongst Academics

Whereas there appears to be a large body of literature that focuses on ethical concerns within the context of research, there continues to be a feeling of isolation and lack of awareness of ethical guidance and support that leaves researchers to rely on institutional ethical requirements as well as their own ethical principles and previous experience. Consequently, there can be a significant variance in the quality of research. The challenge is that ethical decision making is not a term that can be simply defined, as it appears to include multiple influences such as individual difference, that include personality and environmental factors. As there appears to be no universal consensus, and the definition of ethics is broad, it gives rise to difficulties in defining the term “ethics”. However, it is important that stakeholder rights and dignity are protected. Hence, ethics is an essential component that needs to be addressed when undertaking academic research. The aim of this paper is to discuss the ethical implications associated with the study that investigates the relationship between emotional intelligence and perceived stress amongst 533 academics, helping to add a little more to existing information

Legal, ethical and social impact on the use of computational intelligence based systems for land border crossings

This paper provides an overview on the most relevant legal, ethical and social implications arising from the use of computational intelligence based systems for land border crossings. Based on the automatic deception detection system (ADDS) developed in the iBorderCtrl project, issues such as the peculiarities of the interaction of humans with machines, profiling, automated decision-making and the risk of false positives can be identified and demonstrate how computational intelligence based systems can challenge fundamental legal and ethical principles. These include in particular the right to privacy, human dignity and the principle of non-discrimination. By further analysing the various issues, this paper seeks to provide some thoughts on remedies and safeguards which should be considered when developing computational intelligence based systems.© 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.EC/H2020/700626/E