Alcuni abstract di articoli che trattano argomenti relativi all'eHealth

Non utile per esam

Security-Driven Software Evolution Using A Model Driven Approach

High security level must be guaranteed in applications in order to mitigate risks during the deployment of information systems in open network environments. However, a significant number of legacy systems remain in use which poses security risks to the enterprise’ assets due to the poor technologies used and lack of security concerns when they were in design. Software reengineering is a way out to improve their security levels in a systematic way. Model driven is an approach in which model as defined by its type directs the execution of the process. The aim of this research is to explore how model driven approach can facilitate the software reengineering driven by security demand. The research in this thesis involves the following three phases. Firstly, legacy system understanding is performed using reverse engineering techniques. Task of this phase is to reverse engineer legacy system into UML models, partition the legacy system into subsystems with the help of model slicing technique and detect existing security mechanisms to determine whether or not the provided security in the legacy system satisfies the user’s security objectives. Secondly, security requirements are elicited using risk analysis method. It is the process of analysing key aspects of the legacy systems in terms of security. A new risk assessment method, taking consideration of asset, threat and vulnerability, is proposed and used to elicit the security requirements which will generate the detailed security requirements in the specific format to direct the subsequent security enhancement. Finally, security enhancement for the system is performed using the proposed ontology based security pattern approach. It is the stage that security patterns derived from security expertise and fulfilling the elicited security requirements are selected and integrated in the legacy system models with the help of the proposed security ontology. The proposed approach is evaluated by the selected case study. Based on the analysis, conclusions are drawn and future research is discussed at the end of this thesis. The results show this thesis contributes an effective, reusable and suitable evolution approach for software security

Assessing System of Systems Security Risk and Requirements with OASoSIS

When independent systems come together as a System of Systems (SoS) to achieve a new purpose, dealing with requirements conflicts across systems becomes a challenge. Moreover, assessing and modelling security risk for independent systems and the SoS as a whole is challenged by a gap in related research and approaches within the SoSs domain. In this paper, we present an approach for bridging SoS and Requirements Engineering by identifying aligning SoSs concepts to assess and model security risk and requirements. We introduce our OASoSIS approach modifying OCTAVE Allegro for SoSs using CAIRIS (Computer Aided Integration of Requirements and Information Security) with a medical evacuation (MEDEVAC) SoS exemplar for Security Requirements Engineering tool-support. Index Terms—System of Systems, Security, Risk, Human Factors, Requirements Engineering, CAIRIS

Improving knowledge about the risks of inappropriate uses of geospatial data by introducing a collaborative approach in the design of geospatial databases

La disponibilité accrue de l’information géospatiale est, de nos jours, une réalité que plusieurs organisations, et même le grand public, tentent de rentabiliser; la possibilité de réutilisation des jeux de données est désormais une alternative envisageable par les organisations compte tenu des économies de coûts qui en résulteraient. La qualité de données de ces jeux de données peut être variable et discutable selon le contexte d’utilisation. L’enjeu d’inadéquation à l’utilisation de ces données devient d’autant plus important lorsqu’il y a disparité entre les nombreuses expertises des utilisateurs finaux de la donnée géospatiale. La gestion des risques d’usages inappropriés de l’information géospatiale a fait l’objet de plusieurs recherches au cours des quinze dernières années. Dans ce contexte, plusieurs approches ont été proposées pour traiter ces risques : parmi ces approches, certaines sont préventives et d’autres sont plutôt palliatives et gèrent le risque après l'occurrence de ses conséquences; néanmoins, ces approches sont souvent basées sur des initiatives ad-hoc non systémiques. Ainsi, pendant le processus de conception de la base de données géospatiale, l’analyse de risque n’est pas toujours effectuée conformément aux principes d’ingénierie des exigences (Requirements Engineering) ni aux orientations et recommandations des normes et standards ISO. Dans cette thèse, nous émettons l'hypothèse qu’il est possible de définir une nouvelle approche préventive pour l’identification et l’analyse des risques liés à des usages inappropriés de la donnée géospatiale. Nous pensons que l’expertise et la connaissance détenues par les experts (i.e. experts en geoTI), ainsi que par les utilisateurs professionnels de la donnée géospatiale dans le cadre institutionnel de leurs fonctions (i.e. experts du domaine d'application), constituent un élément clé dans l’évaluation des risques liés aux usages inadéquats de ladite donnée, d’où l’importance d’enrichir cette connaissance. Ainsi, nous passons en revue le processus de conception des bases de données géospatiales et proposons une approche collaborative d’analyse des exigences axée sur l’utilisateur. Dans le cadre de cette approche, l’utilisateur expert et professionnel est impliqué dans un processus collaboratif favorisant l’identification a priori des cas d’usages inappropriés. Ensuite, en passant en revue la recherche en analyse de risques, nous proposons une intégration systémique du processus d’analyse de risque au processus de la conception de bases de données géospatiales et ce, via la technique Delphi. Finalement, toujours dans le cadre d’une approche collaborative, un référentiel ontologique de risque est proposé pour enrichir les connaissances sur les risques et pour diffuser cette connaissance aux concepteurs et utilisateurs finaux. L’approche est implantée sous une plateforme web pour mettre en œuvre les concepts et montrer sa faisabilité.Nowadays, the increased availability of geospatial information is a reality that many organizations, and even the general public, are trying to transform to a financial benefit. The reusability of datasets is now a viable alternative that may help organizations to achieve cost savings. The quality of these datasets may vary depending on the usage context. The issue of geospatial data misuse becomes even more important because of the disparity between the different expertises of the geospatial data end-users. Managing the risks of geospatial data misuse has been the subject of several studies over the past fifteen years. In this context, several approaches have been proposed to address these risks, namely preventive approaches and palliative approaches. However, these approaches are often based on ad-hoc initiatives. Thus, during the design process of the geospatial database, risk analysis is not always carried out in accordance neither with the principles/guidelines of requirements engineering nor with the recommendations of ISO standards. In this thesis, we suppose that it is possible to define a preventive approach for the identification and analysis of risks associated to inappropriate use of geospatial data. We believe that the expertise and knowledge held by experts and users of geospatial data are key elements for the assessment of risks of geospatial data misuse of this data. Hence, it becomes important to enrich that knowledge. Thus, we review the geospatial data design process and propose a collaborative and user-centric approach for requirements analysis. Under this approach, the user is involved in a collaborative process that helps provide an a priori identification of inappropriate use of the underlying data. Then, by reviewing research in the domain of risk analysis, we propose to systematically integrate risk analysis – using the Delphi technique – through the design of geospatial databases. Finally, still in the context of a collaborative approach, an ontological risk repository is proposed to enrich the knowledge about the risks of data misuse and to disseminate this knowledge to the design team, developers and end-users. The approach is then implemented using a web platform in order to demonstrate its feasibility and to get the concepts working within a concrete prototype

The Future of the Internet III

Presents survey results on technology experts' predictions on the Internet's social, political, and economic impact as of 2020, including its effects on integrity and tolerance, intellectual property law, and the division between personal and work lives

Turvanõuete tuletamine äriprotsesside mudelitest

Väitekirja elektrooniline versioon ei sisalda publikatsioone.Iga ettevõte toodab mingit väärtust, mis nende klientidele kasuks tuleb. Ettevõte saab oma äriplaani tõhusalt ja efektiivselt täita vaid sel juhul, kui indiviidid ja teised ettevõtteallikad nagu informatsioonisüsteemid hästi koos töötavad. Äriprotsessid mängivad olulist rolli selle koostöö hõlbustamisel. Neid äriprotsesse kirjeldatakse mudelite abil, mida nimetatakse äriprotsessimudeliteks. Viimastel aastatel on nende äriprotsesside mudelite modelleerimine arvestatavat tähelepanu pälvinud. Seda seepärast, et äriprotsessimudelite jaoks töötatakse välja üha rohkem infosüsteeme. Veelgi enam, arvestades dünaamilise ärikeskkonnaga, mida digitaalne majandus endaga kaasa on toonud, peavad ettevõtted pidevalt oma äriprotsesse ja tugiinfosüsteeme arendama, et turul toimuvate muutustega toime tulla ning et tehnoloogiauuendustest kasu lõigata. See fenomen suurendab vajadust kohase infoturvalisuse järele äriprotsessides. Tänapäeval ei ole turvalisuse tähtsus enam kaugeltki ainult äri jätkusuutlikkuse tagamine või ettevõtte varade kaitsmine; mõned autorid väidavad, et turvalisus ongi see liikumapanev jõud, mille pärast äri teha. Põhilise probleemid olemasolevate turvalisuse analüüsimise meetoditega on, et need lähenemised keskenduvad turvakontrollide rakendamisele ja ei pööra tähelepanu turvalisuse aluspõhimõtetele. Samamoodi on puudu või juhuslik tingimuste esiletoomine ning see viib mõne väga tähtsa turvatingimuse kahe silma vahele jätmiseni ning kuna äriprotsessid on oma loomult dünaamilised ning keerulised, käsitlevad uurimused ainult osasid aspekte, mitte üleüldist äriprotsesside turvalisust. Et seda vajadust hinnata, on selle lõputöö meetodiks analüüsida äriprotsessimudeleid turvalisuse vaatepunktist, et sellest turvalisuse eesmärke ja tingimusi tuletada. Lõputöö on esitanud kolm täiendavat osa: esiteks, turvariski suunitlusega mustrid, mis integreerivad turvariski analüüsi äriprotsessimudelitesse. Need mustrid toetavad turvariski mõisteid äriprotsessimudelites, millest ärianalüütikud lihtsasti aru saavad. Teiseks, äriprotsesside turvalisuse hindamise taksonoomiat. Seda taksonoomiat kasutatakse turvariski suunitlusega mustrite kindlaks tegemisel ning see aitab analüütikutel neid mustreid äriprotsessimudelites kasutada. Lõpuks moodustavad need tulemused põhja ühele meetodile, turvatingimuste esiletoomine äriprotsessides (Security Requirements’ Elicitation from Business Processes, SREBP), mis viib läbi turvatingimuste esiletoomist nende äriprotsesside jaoks. Need osad töötavad koos, et toetada turvatingimuste esiletoomist äriprotsessimudelites, kus i) ärivarade tuvastamine ning turvaeesmärkide kindlakstegemine viiakse läbi ettevõtte äriprotsessidega. Veelgi enam, ii) turvatingimuste esiletoomist viiakse läbi töötavate äriprotsesside peal, kasutades väljamõeldud piirkondi.Any given enterprise produces some value that is for the benefit of its customers. An enterprise can reach its business goals in an efficient and effective manner only if individuals and other enterprise resources, such as information systems, play together well. Business processes are an important concept to facilitating this effective collaboration. These business processes are described with models that are called business process models. In recent years, modeling of these business process models has received considerable attention. This is due to the fact that information systems increasingly being designed to support business processes. Moreover, given the dynamic business environment that the digital economy has brought about, enterprises need to continuously evolve their business processes and supporting information systems in order to cope with market changes and to take advantage of technology innovations. This phenomenon increases the need for appropriate information security in business processes. Nowadays, the importance of security has gone far away from just ensuring the business continuity or protecting enterprise’s assets; some authors claim security to be the driving force to do business at all. The major problems in existing methods for addressing security analysis are that, these approaches focuses on the implementation of security controls, and leaving behind the rationale for security. Similarly, the requirements elicitation is either missing or haphazard, this leads to miss some critical security requirements; and due to the dynamic and complicated nature of business processes the studies only addresses varying aspects but not the overall security of business processes. To consider this need, the approach taken in this thesis is to analyse the business process models from a security perspective to derive security objectives and requirements. The thesis has proposed three complementary contributions: Firstly, security risk-oriented patterns that integrate the security risk analysis into business process models. These patterns supports security risk concepts in business process models that business analyst can understand easily. Secondly, the taxonomy for assessing security in business processes. This taxonomy is used to classify the security risk-oriented patterns and helps analysts to apply these patterns in business process models. Finally, these contributions form a foundation for a method, security requirements elicitation from business processes (SREBP) that performs a systematic elicitation of security requirements for their business processes. These contributions work together to support the security requirements elicitation from business process models, where, i) the identification of business assets and determination of security objectives are carried out from the enterprise’s business processes. Moreover, ii) the elicitation of security requirements are performed on the operational business processes using contextual areas

Semantic discovery and reuse of business process patterns

Patterns currently play an important role in modern information systems (IS) development and their use has mainly been restricted to the design and implementation phases of the development lifecycle. Given the increasing significance of business modelling in IS development, patterns have the potential of providing a viable solution for promoting reusability of recurrent generalized models in the very early stages of development. As a statement of research-in-progress this paper focuses on business process patterns and proposes an initial methodological framework for the discovery and reuse of business process patterns within the IS development lifecycle. The framework borrows ideas from the domain engineering literature and proposes the use of semantics to drive both the discovery of patterns as well as their reuse