Security in online learning assessment towards an effective trustworthiness approach to support e-learning teams

(c) 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.This paper proposes a trustworthiness model for the design of secure learning assessment in on-line collaborative learning groups. Although computer supported collaborative learning has been widely adopted in many educational institutions over the last decade, there exist still drawbacks which limit their potential in collaborative learning activities. Among these limitations, we investigate information security requirements in on-line assessment, (e-assessment), which can be developed in collaborative learning contexts. Despite information security enhancements have been developed in recent years, to the best of our knowledge, integrated and holistic security models have not been completely carried out yet. Even when security advanced methodologies and technologies are deployed in Learning Management Systems, too many types of vulnerabilities still remain opened and unsolved. Therefore, new models such as trustworthiness approaches can overcome these lacks and support e-assessment requirements for e-Learning. To this end, a trustworthiness model is designed in order to conduct the guidelines of a holistic security model for on-line collaborative learning through effective trustworthiness approaches. In addition, since users' trustworthiness analysis involves large amounts of ill-structured data, a parallel processing paradigm is proposed to build relevant information modeling trustworthiness levels for e-Learning.Peer ReviewedPostprint (author's final draft

An Integrated Social Actor and Service Oriented Architecture (SOA) Approach for Improved Electronic Health Record (EHR) Privacy and Confidentiality in the US National Healthcare Information Network (NHIN)

The emerging US National Healthcare Information Network (NHIN) will improve healthcare’s efficacy, efficiency, and safety. The first-generation NHIN being developed has numerous advantages and limitations. One of the most difficult aspects of today’s NHIN is ensuring privacy and confidentiality for personal health data, because family and caregivers have multiple complex legal relationships to a patient. A Social Actor framework is suggested to organize and manage these legal roles, but the Social Actor framework would be very difficult to implement in today’s NHIN. Social Actor Security Management could, however, be effectively implemented using Service Oriented Architectures (SOAs), which are rapidly becoming accepted for supporting complex information exchange across heterogeneous information systems fabrics. The Department of Defense is applying SOA to all of its enterprises. It is using customized simulation and modeling tools to achieve security and robustness goals and to reduce the intrinsic design and implementation risks for SOA’s complex Systems of Systems environment. This paper integrates all of these approaches into a next-generation NHIN-2 design based on a specific Air Force SOA named MCSOA. This NHIN-2 design uses MCSOA to create Security Management, Service Discovery, and Presence Management agents to implement Social Actor support for improved confidentiality and privacy

Assessment of Information Security Culture in Higher Education

Information security programs are instituted by organizations to provide guidance to their users who handle their data and systems. The main goal of these programs is to protect the organization\u27s information assets through the creation and cultivation of a positive information security culture within the organization. As the collection and use of data expands in all economic sectors, the threat of data breach due to human error increases. Employee\u27s behavior towards information security is influenced by the organizations information security programs and the overall information security culture. This study examines the human factors of an information security program and their effect on the information security culture. These human factors consist of stringency of organizational policies, behavior deterrence, employee attitudes towards information security, training and awareness, and management support of the information security programs. A survey questionnaire was given to employees in the Florida College System to measure the human aspects of the information security programs. Confirmatory factor analysis (CFA) and Structural Equation Modeling (SEM) were used to investigate the relationships between the variables in the study using IBM® SPSS® Amos 24 software. The study results show that management support and behavior deterrence have a significant positive relationship with information security. Additionally, the results show no significant association between information security culture and organization policies, employee commitment and employee awareness. This suggests a need for further refinement of the model and the survey tool design to properly assess human factors of information security programs and their effects on the organizational security culture

A Design Theory for Secure Semantic E-Business Processes (SSEBP)

This dissertation develops and evaluates a Design theory. We follow the design science approach (Hevener, et al., 2004) to answer the following research question: "How can we formulate a design theory to guide the analysis and design of Secure Semantic eBusiness processes (SSeBP)?" Goals of SSeBP design theory include (i) unambiguously represent information and knowledge resources involved in eBusiness processes to solve semantic conflicts and integrate heterogeneous information systems; (ii) analyze and model business processes that include access control mechanisms to prevent unauthorized access to resources; and (iii) facilitate the coordination of eBusiness process activities-resources by modeling their dependencies. Business processes modeling techniques such as Business Process Modeling Notation (BPMN) (BPMI, 2004) and UML Activity Diagrams (OMG, 2003) lack theoretical foundations and are difficult to verify for correctness and completeness (Soffer and Wand, 2007). Current literature on secure information systems design methods are theoretically underdeveloped and consider security as a non-functional requirement and as an afterthought (Siponen et al. 2006, Mouratidis et al., 2005). SSeBP design theory is one of the first attempts at providing theoretically grounded guidance to design richer secure eBusiness processes for secure and coordinated seamless knowledge exchange among business partners in a value chain. SSeBP design theory allows for the inclusion of non-repudiation mechanisms into the analysis and design of eBusiness processes which lays the foundations for auditing and compliance with regulations such as Sarbanes-Oxley. SSeBP design theory is evaluated through a rigorous multi-method evaluation approach including descriptive, observational, and experimental evaluation. First, SSeBP design theory is validated by modeling business processes of an industry standard named Collaborative Planning, Forecasting, and Replenishment (CPFR) approach. Our model enhances CPFR by incorporating security requirements in the process model, which is critically lacking in the current CPFR technical guidelines. Secondly, we model the demand forecasting and capacity planning business processes for two large organizations to evaluate the efficacy and utility of SSeBP design theory to capture the realistic requirements and complex nuances of real inter-organizational business processes. Finally, we empirically evaluate SSeBP, against enhanced Use Cases (Siponen et al., 2006) and UML activity diagrams, for informational equivalence (Larkin and Simon, 1987) and its utility in generating situational awareness (Endsley, 1995) of the security and coordination requirements of a business process. Specific contributions of this dissertation are to develop a design theory (SSeBP) that presents a novel and holistic approach that contributes to the IS knowledge base by filling an existing research gap in the area of design of information systems to support secure and coordinated business processes. The proposed design theory provides practitioners with the meta-design and the design process, including the system components and principles to guide the analysis and design of secure eBusiness processes that are secure and coordinated

Providing Security to Health Care Systems based on CRISP-DM

All the health data are considered to be the personal private data and those data should need security. Like confidentiality, integrity, authority should be preserved in the case of medical data. Nowadays, there is no framework for health supporting the data modeling design, i.e. the existing models are generic and therefore are not suitable to support personalized systems and they do not consider the quality of clinical and personal data, required in health care. Based on the CRISP-DM methodology, a framework is proposed to design a data model for personalized health systems. This framework ensures the security of personal and clinical data to relate it with health standards, particularly with the Personal Health (PHR) ISO/TR 14292 standard, which addresses the recommendations of the parameters that must be within a personalized health system. To perform accurate recommendations it is important to make a data mining process, data mining is the process of analyzing the data from different perspective and summarizing it into useful information

Modeling Security Risks at the System Design Stage Alignment of Mal Activity Diagrams and SecureUML to the ISSRM Domain Model

Turvatehnika disain on üks olulisi süsteemiarenduse komponente. Ta peaks läbima tervet süsteemiarendusprotsessi. Kahjuks pööratakse talle paljudel juhtudel tähelepanu ainult süsteemi arendamise ja haldamise ajal. Paljud turvalise modelleerimise keeled (näiteks Misuse Case, Secure Tropos) aitavad turvariskejuba nõuete analüüsi etapil hallata. Käesolevas magistritöös vaatleme modelleerimisvahendeid (pahateoskeemid ja SecureUML), mida kasutatakse süsteemi disainil. Täpsemalt, me uurime, kuivõrd need vahendid toetavad infosüsteemide turvariskide haldust (Information Systems Security Risks Management, ISSRM). Töö tulemuseks on tabel, mis seab pahateoskeemid ning SecureUML-keele konstruktsioonid ISSRM domeeni mõistetega omavahel vastavusse. Me põhjendame oma analüüsi ning valideerime saadud tulemusi mitmel illustratiivsel näitel. Me loodame, et saadud tulemused aitavad arendajatel paremini aru saada, kuidas turvariske süsteemi disainietapil arvesse võtta. Peale selle, nende keelte analüüs ühisel kontseptuaalsel taustal annab tulevikus võimaluse neid keeli korraga kasutada ning loodud mudeleid ühest keelest teise teisendada.Security engineering is one of the important concerns during system development. It should be addressed throughout the whole system development process; however in many cases it is often dealt only during system development and maintenance. There are several security modeling languages (e.g, Misuse case, Secure Tropos) that help dealing with security risk management at the requirements stage. In this thesis, we are focusing on the modeling languages (e.g. Mal activity diagrams and SecureUML) that are used to design the system. More specifically we investigate how these languages support information systems security risks management (ISSRM). The outcome of this work is an alignment table between the Mal activity diagrams and SecureUML language constructs to the ISSRM domain model concepts. We ground our analysis and validate the received results on the number of illustrative examples. We hope that our results will help developers to understand how they can consider security risks at the system design stage. In addition we open the way for the interoperability between different modeling languages that are analysed using the same conceptual background, thus, potentially leading to the transformation between these modeling approaches

SISTEM INFORMASI BERORIENTASI OBJEK DENGAN PEMODELAN UNIFIED MODELING LANGUAGE PADA JASA SECURITY PT. PUTRATAMA KARYA MANDIRI

Abstract—In a corporate environment the computer is an absolute tool used for the implementation of computerbased information systems become an absolute necessity and can provide a competitive advantage, so it gets high priorities. With the Unified Modeling Language (UML) to support the description and design of software systems, especially systems that are built using object-oriented programming. To achieve progress in terms of services and facilitate the work, it is necessary to repair, especially in companies engaged in services as one of the security services. Start of the process of securing approval of a proposal by the company's service users, Recruitment security (security), selection, training, job placement company security personnel to service users through the reporting process. Intisari—Didalam lingkungan perusahaan komputer adalah alat mutlak yang dipergunakan untuk penerapan sistem informasi yang berbasis komputer menjadi kebutuhan yang mutlak dan dapat memberikan keunggulan kompetitif, sehingga mendapat perioritas yang tinggi. Dengan adanya Unified Modeling Language (UML) dapat membantu pendeskripsian dan desain sistem perangkat lunak, khususnya sistem yang dibangun menggunakan pemrograman berorientasi objek. Untuk mencapai kemajuan dalam hal pelayanan dan mempermudah pekerjaan, maka perlu diadakan perbaikan terutama pada perusahaan-perusahaan yang bergerak dibidang jasa seperti salah satunya jasa pengamanan. Mulai dari proses disetujuinya proposal pengamanan oleh perusahaan pengguna jasa, penerimaan tenaga pengamanan (security), seleksi, pelatihan, penempatan tugas tenaga pengamanan ke perusahaan pengguna jasa sampai dengan proses pembuatan laporan.Abstract—In a corporate environment the computer is an absolute tool used for the implementation of computerbased information systems become an absolute necessity and can provide a competitive advantage, so it gets high priorities. With the Unified Modeling Language (UML) to support the description and design of software systems, especially systems that are built using object-oriented programming. To achieve progress in terms of services and facilitate the work, it is necessary to repair, especially in companies engaged in services as one of the security services. Start of the process of securing approval of a proposal by the company's service users, Recruitment security (security), selection, training, job placement company security personnel to service users through the reporting process

Detecting Violations of Access Control and Information Flow Policies in Data Flow Diagrams

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy

Detecting Violations of Access Control and Information Flow Policies in Data Flow Diagrams

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy