Guest editorial preface: special issue on Evolving security and privacy requirements engineering (ESPRE'14) 2014, Sweden.

At the Evolving Security and Privacy Requirements Engineering (ESPRE) workshop, practitioners and researchers interested in security and privacy requirements gather to discuss significant issues in the field. In particular, ESPRE participants probe the interfaces between requirements engineering, security and privacy. At ESPRE workshops, participants also take the first step in evolving security and privacy requirements engineering to meet the needs of stakeholders, ranging from business analysts and security engineers to technology entrepreneurs and privacy advocates. The most recent ESPRE workshop was held in Karlskrona, Sweden in August 2014, and was co-located with the RE 2014 conference

Enhancing Problem Frames with Trust and Reputation for Analyzing Smart Grid Security Requirements *

Abstract. Smart grids are expected to scale over millions of users and provide numerous services over geographically distributed entities. Moreover, smart grids are expected to contain controllable local systems (CLS) such as fridges or heaters that can be controlled using the network communication technology of the grid. Security solutions that prevent harm to the grid and to its stakeholders from CLS are essential. Moreover, traditional security approaches such as static access control systems cause a lot of administrative workload and are difficult to maintain in fast growing and changing systems. In contrast, trust management is a soft security mechanism that can reduce this workload significantly. Even though there is not any accepted definition of trust, it is agreed that it can improve decision-making processes under risk and uncertainty, improving in turn systems' security. We use the problem frames notation to discuss requirements for a trust-based security solution concerning CLS

The limitation of genetic testing in diagnosing patients suspected for congenital platelet defects

Thrombosis and Hemostasi

Parasitoids indicate major climate-induced shifts in arctic communities

Climatic impacts are especially pronounced in the Arctic, which as a region is warming twice as fast as the rest of the globe. Here, we investigate how mean climatic conditions and rates of climatic change impact parasitoid insect communities in 16 localities across the Arctic. We focus on parasitoids in a widespread habitat,Dryasheathlands, and describe parasitoid community composition in terms of larval host use (i.e., parasitoid use of herbivorous Lepidoptera vs. pollinating Diptera) and functional groups differing in their closeness of host associations (koinobionts vs. idiobionts). Of the latter, we expect idiobionts-as being less fine-tuned to host development-to be generally less tolerant to cold temperatures, since they are confined to attacking hosts pupating and overwintering in relatively exposed locations. To further test our findings, we assess whether similar climatic variables are associated with host abundances in a 22 year time series from Northeast Greenland. We find sites which have experienced a temperature rise in summer while retaining cold winters to be dominated by parasitoids of Lepidoptera, with the reverse being true for the parasitoids of Diptera. The rate of summer temperature rise is further associated with higher levels of herbivory, suggesting higher availability of lepidopteran hosts and changes in ecosystem functioning. We also detect a matching signal over time, as higher summer temperatures, coupled with cold early winter soils, are related to high herbivory by lepidopteran larvae, and to declines in the abundance of dipteran pollinators. Collectively, our results suggest that in parts of the warming Arctic,Dryasis being simultaneously exposed to increased herbivory and reduced pollination. Our findings point to potential drastic and rapid consequences of climate change on multitrophic-level community structure and on ecosystem functioning and highlight the value of collaborative, systematic sampling effort

ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System

Realizing security and risk management standards may be challenging, partly because the descriptions of what to realize are often generic and have to be refined by security experts. Removing this ambiguity is time intensive for security experts, because the experts have to interpret all the required tasks in the standard on their own. In our previous work we showed how to use security requirements engineering methods for the development and documentation of the ISO 27001 security standard. In this paper we (i) create an extension of the CORAS methodology for risk management that supports the ISO 27001 standard, (ii) validate the method via comparing its resulting artifacts to the artifacts of an industrial ISO 27001 application, and (iii) discuss the advantages of our method compared to the industrial state-of-the-art. We apply our method to a smart grid scenario provided by the industrial partners of the NESSoS project. Oppdragsgiver: European Commissio

A Foundation for Requirements Analysis of Privacy Preserving Software

Part 1: ConferenceInternational audiencePrivacy requirements are difficult to elicit for any given software engineering project that processes personal information. The problem is that these systems require personal data in order to achieve their functional requirements and privacy mechanisms that constrain the processing of personal information in such a way that the requirement still states a useful functionality.We present privacy patterns that support the expression and analysis of different privacy goals: anonymity, pseudonymity, unlinkability and unobservability. These patterns have a textual representation that can be instantiated. In addition, for each pattern, a logical predicate exists that can be used to validate the instantiation. We also present a structured method for instantiating and validating the privacy patterns, and for choosing privacy mechanisms. Our patterns can also be used to identify incomplete privacy requirements. The approach is illustrated by the case study of a patient monitoring system

Analysis of Social Engineering Threats with Attack Graphs

Abstract. Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. While some research exists for classifying and analysing social engineering attacks, the integration of social engineering attackers with other attackers such as software or network ones is missing so far. In this paper, we propose to consider social engineering exploits together with technical vulnerabilities. We introduce a method for the integration of social engineering exploits into attack graphs and propose a simple quantitative analysis of the graphs that helps to develop a comprehensive defensive strategy