197 research outputs found
A Semantic Rule-Based Approach for Software Privacy by Design
The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the URI link. Open access journalInformation system business is currently witnessing an increasing demand for system
conformance with the international regime of GRC Governance, Risk and Compliance. Among
different compliance approaches, data protection and privacy laws plays a key role. In this
paper, we propose a compliance requirement analysis method from early stages of system
modelling based on a semantically-rich model, where a mapping can be established from data
protection and privacy requirements defined by laws and regulations to system business goals
and contexts. The early consideration of requirements satisfies Privacy by Design, a key concept
in General Data Protection Regulation 2012. The proposed semantic model consists of a number
of ontologies each corresponding to a knowledge component within the developed framework of
our approach. Each ontology is a thesaurus of concepts in the compliance related to system along
with relationships and rules between these concepts that encompass the domain knowledge. The
main contribution of the work presented in this paper is the ontology-based compliance
framework that demonstrates how description-logic reasoning techniques can be used to
simulate legal reasoning requirements employed by legal professions against the description of
each ontology
A Semantic Rule-Based Approach for Software Privacy by Design
Information system business is currently witnessing an increasing demand for system conformance with the international regime of GRC Governance, Risk and Compliance. Among different compliance approaches, data protection and privacy laws plays a key role. In this paper, we propose a compliance requirement analysis method from early stages of system modelling based on a semantically-rich model, where a mapping can be established from data protection and privacy requirements defined by laws and regulations to system business goals and contexts. The early consideration of requirements satisfies Privacy by Design, a key concept in General Data Protection Regulation 2012. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance related to system along with relationships and rules between these concepts that encompass the domain knowledge. The main contribution of the work presented in this paper is the ontology-based compliance framework that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology
Information Security Risk Management (ISRM) Model for Saudi Arabian Organisations
This research aimed to investigate the factors influencing information security risk management (ISRM) and develop an ISRM model for large Saudi Arabian organisations. The study employed an exploratory research method following a top-down design approach. The research was conducted in two sequential phases: an interview and a focus group discussion. The research identified 14 factors grouped into the people, process, and technology that influence ISRM in large Saudi Arabian organisations. The proposed model can successfully guide large Saudi Arabian organisations to implement ISRM standards more effectively
Exiting the risk assessment maze: A meta-survey
Organizations are exposed to threats that increase the risk factor of their ICT systems. The assurance of
their protection is crucial, as their reliance on information technology is a continuing challenge for both
security experts and chief executives. As risk assessment could be a necessary process in an organization,
one of its deliverables could be utilized in addressing threats and thus facilitate the development of a security
strategy. Given the large number of heterogeneous methods and risk assessment tools that exist, comparison
criteria can provide better understanding of their options and characteristics and facilitate the selection of
a method that best fits an organization’s needs. This paper aims to address the problem of selecting an
appropriate risk assessment method to assess and manage information security risks, by proposing a set of
comparison criteria, grouped into 4 categories. Based upon them, it provides a comparison of the 10 popular
risk assessment methods that could be utilized by organizations to determine the method that is more
suitable for their needs. Finally, a case study is presented to demonstrate the selection of a method based
on the proposed criteri
Host Card Emulation with Tokenisation: Security Risk Assessment
Host Card Emulation (HCE) is an architecture that provides virtual representation of contactless cards, enabling transactional communication for mobile devices with Near-Field Communication (NFC) support without the need of Secure Element (SE) hardware. Performing the card emulation mainly by software, usually in wallet-like applications which store payment tokens for enabling transactions, creates several risks that need to be properly evaluated in order to be able to materialise a risk-based implementation. This paper describes the HCEt and proposes the identification and assessment of its risks through a survey conducted to specialists in the subject matter, analysing the model from the point of view of a wallet application on a mobile device that stores payment tokens to be able to perform contactless transactions. Despite the increasing complexity and specialisation of software, hardware, and the respective technical cyberattacks we conclude that the human nature remains the easiest to exploit, with greater gains
Host card emulation with tokenisation: Security risk assessments
Host Card Emulation (HCE) é uma arquitetura que possibilita a representação virtual (emulação) de cartões contactless, permitindo a realização de transações através dispositivos móveis com capacidade de realizar comunicações via Near-Field Communication (NFC), sem a necessidade de utilização de um microprocessador chip, Secure Element (SE), utilizado em pagamentos NFC anteriores ao HCE. No HCE, a emulação do cartão é efetuada essencialmente através de software, geralmente em aplicações do tipo wallet. No modelo de HCE com Tokenização (HCEt), que ´e o modelo HCE específico analisado nesta dissertação, a aplicação armazena tokens de pagamento, que são chaves criptográficas derivadas das chaves do cartão original, críticas, por permitirem a execução de transações, ainda que, com limitações na sua utilização. No entanto, com a migração de um ambiente resistente a violações (SE) para um ambiente não controlado (uma aplicação num dispositivo móvel), há vários riscos que devem ser avaliados adequadamente para que seja possível materializar uma implementação baseada no risco. O presente estudo descreve o modelo de HCE com Tokenização (HCEt) e identifica e avalia os seus riscos, analisando o modelo do ponto de vista de uma aplicação wallet num dispositivo móvel, que armazena tokens de pagamento para poder realizar transações contactless
A Trust Evaluation Framework in Vehicular Ad-Hoc Networks
Vehicular Ad-Hoc Networks (VANET) is a novel cutting-edge technology which provides connectivity to millions of vehicles around the world. It is the future of Intelligent Transportation System (ITS) and plays a significant role in the success of emerging smart cities and Internet of Things (IoT). VANET provides a unique platform for vehicles to intelligently exchange critical information, such as collision avoidance or steep-curve warnings. It is, therefore, paramount that this information remains reliable and authentic, i.e., originated from a legitimate and trusted vehicle. Due to sensitive nature of the messages in VANET, a secure, attack-free and trusted network is imperative for the propagation of reliable, accurate and authentic information. In case of VANET, ensuring such network is extremely difficult due to its large-scale and open nature, making it susceptible to diverse range of attacks including man-in-the-middle (MITM), replay, jamming and eavesdropping.
Trust establishment among vehicles can increase network security by identifying dishonest vehicles and revoking messages with malicious content. For this purpose, several trust models (TMs) have been proposed but, currently, there is no effective way to compare how they would behave in practice under adversary conditions. Further, the proposed TMs are mostly context-dependent. Due to randomly distributed and highly mobile vehicles, context changes very frequently in VANET. Ideally the TMs should perform in every context of VANET. Therefore, it is important to have a common framework for the validation and evaluation of TMs.
In this thesis, we proposed a novel Trust Evaluation And Management (TEAM) framework, which serves as a unique paradigm for the design, management and evaluation of TMs in various contexts and in presence of malicious vehicles. Our framework incorporates an asset-based threat model and ISO-based risk assessment for the identification of attacks against critical risks. TEAM has been built using VEINS, an open source simulation environment which incorporates SUMO traffic simulator and OMNET++ discrete event simulator. The framework created has been tested with the implementation of three types of TM (data-oriented, entity-oriented and hybrid) under four different contexts of VANET based on the mobility of both honest and malicious vehicles. Results indicate that TEAM is effective to simulate a wide range of TMs, where the efficiency is evaluated against different Quality of Service (QoS) and security-related criteria. Such framework may be instrumental for planning smart cities and for car manufacturers.University of Derb
- …