A Semantic Rule-Based Approach for Software Privacy by Design

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the URI link. Open access journalInformation system business is currently witnessing an increasing demand for system conformance with the international regime of GRC Governance, Risk and Compliance. Among different compliance approaches, data protection and privacy laws plays a key role. In this paper, we propose a compliance requirement analysis method from early stages of system modelling based on a semantically-rich model, where a mapping can be established from data protection and privacy requirements defined by laws and regulations to system business goals and contexts. The early consideration of requirements satisfies Privacy by Design, a key concept in General Data Protection Regulation 2012. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance related to system along with relationships and rules between these concepts that encompass the domain knowledge. The main contribution of the work presented in this paper is the ontology-based compliance framework that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology

A Semantic Rule-Based Approach for Software Privacy by Design

Information system business is currently witnessing an increasing demand for system conformance with the international regime of GRC Governance, Risk and Compliance. Among different compliance approaches, data protection and privacy laws plays a key role. In this paper, we propose a compliance requirement analysis method from early stages of system modelling based on a semantically-rich model, where a mapping can be established from data protection and privacy requirements defined by laws and regulations to system business goals and contexts. The early consideration of requirements satisfies Privacy by Design, a key concept in General Data Protection Regulation 2012. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance related to system along with relationships and rules between these concepts that encompass the domain knowledge. The main contribution of the work presented in this paper is the ontology-based compliance framework that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology

Information Security Risk Management (ISRM) Model for Saudi Arabian Organisations

This research aimed to investigate the factors influencing information security risk management (ISRM) and develop an ISRM model for large Saudi Arabian organisations. The study employed an exploratory research method following a top-down design approach. The research was conducted in two sequential phases: an interview and a focus group discussion. The research identified 14 factors grouped into the people, process, and technology that influence ISRM in large Saudi Arabian organisations. The proposed model can successfully guide large Saudi Arabian organisations to implement ISRM standards more effectively

Exiting the risk assessment maze: A meta-survey

Organizations are exposed to threats that increase the risk factor of their ICT systems. The assurance of their protection is crucial, as their reliance on information technology is a continuing challenge for both security experts and chief executives. As risk assessment could be a necessary process in an organization, one of its deliverables could be utilized in addressing threats and thus facilitate the development of a security strategy. Given the large number of heterogeneous methods and risk assessment tools that exist, comparison criteria can provide better understanding of their options and characteristics and facilitate the selection of a method that best fits an organization’s needs. This paper aims to address the problem of selecting an appropriate risk assessment method to assess and manage information security risks, by proposing a set of comparison criteria, grouped into 4 categories. Based upon them, it provides a comparison of the 10 popular risk assessment methods that could be utilized by organizations to determine the method that is more suitable for their needs. Finally, a case study is presented to demonstrate the selection of a method based on the proposed criteri

Host Card Emulation with Tokenisation: Security Risk Assessment

Host Card Emulation (HCE) is an architecture that provides virtual representation of contactless cards, enabling transactional communication for mobile devices with Near-Field Communication (NFC) support without the need of Secure Element (SE) hardware. Performing the card emulation mainly by software, usually in wallet-like applications which store payment tokens for enabling transactions, creates several risks that need to be properly evaluated in order to be able to materialise a risk-based implementation. This paper describes the HCEt and proposes the identification and assessment of its risks through a survey conducted to specialists in the subject matter, analysing the model from the point of view of a wallet application on a mobile device that stores payment tokens to be able to perform contactless transactions. Despite the increasing complexity and specialisation of software, hardware, and the respective technical cyberattacks we conclude that the human nature remains the easiest to exploit, with greater gains

Host card emulation with tokenisation: Security risk assessments

Host Card Emulation (HCE) é uma arquitetura que possibilita a representação virtual (emulação) de cartões contactless, permitindo a realização de transações através dispositivos móveis com capacidade de realizar comunicações via Near-Field Communication (NFC), sem a necessidade de utilização de um microprocessador chip, Secure Element (SE), utilizado em pagamentos NFC anteriores ao HCE. No HCE, a emulação do cartão é efetuada essencialmente através de software, geralmente em aplicações do tipo wallet. No modelo de HCE com Tokenização (HCEt), que ´e o modelo HCE específico analisado nesta dissertação, a aplicação armazena tokens de pagamento, que são chaves criptográficas derivadas das chaves do cartão original, críticas, por permitirem a execução de transações, ainda que, com limitações na sua utilização. No entanto, com a migração de um ambiente resistente a violações (SE) para um ambiente não controlado (uma aplicação num dispositivo móvel), há vários riscos que devem ser avaliados adequadamente para que seja possível materializar uma implementação baseada no risco. O presente estudo descreve o modelo de HCE com Tokenização (HCEt) e identifica e avalia os seus riscos, analisando o modelo do ponto de vista de uma aplicação wallet num dispositivo móvel, que armazena tokens de pagamento para poder realizar transações contactless

A Trust Evaluation Framework in Vehicular Ad-Hoc Networks

Vehicular Ad-Hoc Networks (VANET) is a novel cutting-edge technology which provides connectivity to millions of vehicles around the world. It is the future of Intelligent Transportation System (ITS) and plays a significant role in the success of emerging smart cities and Internet of Things (IoT). VANET provides a unique platform for vehicles to intelligently exchange critical information, such as collision avoidance or steep-curve warnings. It is, therefore, paramount that this information remains reliable and authentic, i.e., originated from a legitimate and trusted vehicle. Due to sensitive nature of the messages in VANET, a secure, attack-free and trusted network is imperative for the propagation of reliable, accurate and authentic information. In case of VANET, ensuring such network is extremely difficult due to its large-scale and open nature, making it susceptible to diverse range of attacks including man-in-the-middle (MITM), replay, jamming and eavesdropping. Trust establishment among vehicles can increase network security by identifying dishonest vehicles and revoking messages with malicious content. For this purpose, several trust models (TMs) have been proposed but, currently, there is no effective way to compare how they would behave in practice under adversary conditions. Further, the proposed TMs are mostly context-dependent. Due to randomly distributed and highly mobile vehicles, context changes very frequently in VANET. Ideally the TMs should perform in every context of VANET. Therefore, it is important to have a common framework for the validation and evaluation of TMs. In this thesis, we proposed a novel Trust Evaluation And Management (TEAM) framework, which serves as a unique paradigm for the design, management and evaluation of TMs in various contexts and in presence of malicious vehicles. Our framework incorporates an asset-based threat model and ISO-based risk assessment for the identification of attacks against critical risks. TEAM has been built using VEINS, an open source simulation environment which incorporates SUMO traffic simulator and OMNET++ discrete event simulator. The framework created has been tested with the implementation of three types of TM (data-oriented, entity-oriented and hybrid) under four different contexts of VANET based on the mobility of both honest and malicious vehicles. Results indicate that TEAM is effective to simulate a wide range of TMs, where the efficiency is evaluated against different Quality of Service (QoS) and security-related criteria. Such framework may be instrumental for planning smart cities and for car manufacturers.University of Derb