By Topic

Socio-Technical Aspects in Security and Trust (STAST), 2011 1st Workshop on

Date 8-8 Sept. 2011

Filter Results

Displaying Results 1 - 17 of 17
  • [Front cover]

    Publication Year: 2011 , Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (438 KB)  
    Freely Available from IEEE
  • [Title page]

    Publication Year: 2011 , Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (49 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Publication Year: 2011 , Page(s): ii
    Save to Project icon | Request Permissions | PDF file iconPDF (25 KB)  
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2011 , Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (43 KB)  
    Freely Available from IEEE
  • Foreword from the general chairs

    Publication Year: 2011 , Page(s): iv
    Save to Project icon | Request Permissions | PDF file iconPDF (35 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • Conference committee

    Publication Year: 2011 , Page(s): vi
    Save to Project icon | Request Permissions | PDF file iconPDF (72 KB)  
    Freely Available from IEEE
  • Program Committee

    Publication Year: 2011 , Page(s): vii
    Save to Project icon | Request Permissions | PDF file iconPDF (61 KB)  
    Freely Available from IEEE
  • Author index

    Publication Year: 2011 , Page(s): 69
    Save to Project icon | Request Permissions | PDF file iconPDF (41 KB)  
    Freely Available from IEEE
  • Security requirements engineering via commitments

    Publication Year: 2011 , Page(s): 1 - 8
    Cited by:  Papers (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1809 KB) |  | HTML iconHTML  

    Security Requirements Engineering (SRE) is concerned with the elicitation of security needs and the specification of security requirements of the system-to-be. Current approaches to SRE either express stakeholders' needs via high-level organisational abstractions that are hard to map to system design, or specify only technical security requirements. In this paper, we introduce SecCo, an SRE framework that starts with goal-oriented modelling of the security needs and derives security requirements from such needs. Importantly, SecCo relates security requirements to the interaction among actors. Security requirements are specified as social commitments - promises with contractual validity from one actor to another - that define constraints on the way actors can interact. These commitments shall be implemented by the system-to-be. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Information security as organizational power: A framework for re-thinking security policies

    Publication Year: 2011 , Page(s): 9 - 16
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2317 KB) |  | HTML iconHTML  

    Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. Drawing on socio-technical literature to develop an analytical framework, we examine the relationship between security policies and power in organizations. We use our framework to study three examples of security policy from a large empirical study n an international company. Each example highlights a different aspect of our framework. Our results, from in-depth interviews with 55 staff members at all levels, show that there is often non-compliance in the detail of organizational information security policies; this is not willful but is in response to shortcomings in the policy and to meet business needs. We conclude by linking our findings to recent research on the institutional economics of information security. We suggest ways in which our framework can be used by organizational decision-makers to review and re-think existing security policies. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Controlled data sharing in E-health

    Publication Year: 2011 , Page(s): 17 - 23
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1326 KB) |  | HTML iconHTML  

    In the last few years, the necessity of having documents in electronic format has been growing over and over. This phenomenon affects also healthcare organizations that have adopted a new model for managing clinical information based on so called Electronic Patient Records. On the one hand, the introduction of such models allows to easily share information among several and widespread healthcare organizations. On the other hand, this arises several questions, like how to guarantee security requirements as, e.g., confidentiality, integrity, and privacy of the information shared. In this paper, we present a formal framework for specifying and analysing policies that regulate the information sharing, in such a way that the security requirements of the author of the policy are satisfied. In particular, we consider a set of authorization, obligation, and prohibition clauses aiming at preserving confidentiality, integrity, and privacy of the clinical data of a patient. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An approach to measure effectiveness of control for risk analysis with game theory

    Publication Year: 2011 , Page(s): 24 - 29
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1195 KB) |  | HTML iconHTML  

    Security managers are facing problems choosing effective controls (countermeasures), as there is large number of controls at their disposal. Although the existing standards and methods provide guidance, they are not sufficiently comprehensive when it comes to deciding what attributes to look for and how to use them for determining the effectiveness of controls. The purpose of this paper is twofold: first we determine the attributes of controls and its measurement functions, in order to measure its effectiveness by means of Analytic Hierarchy Process (AHP). Secondly, we show how control metrics can be used by the analyst to make deployment decisions by means of Risk Analysis Using Game Theory (RAUGT). The approach is further validated by using a case study between a system owner who wants to determine the effectiveness of using the Password Testing System (PTS) to raise the bar for the attacker. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Camera use in the public domain: Towards a ”Big Sister” approach

    Publication Year: 2011 , Page(s): 30 - 36
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1586 KB) |  | HTML iconHTML  

    The use of cameras is growing: not only personal computers and laptops are standard equipped with a camera, but also the public domain is increasingly equipped with cameras. Today's camera is not merely a pair of eyes. A surveillance camera can see much more than a single person can do. The rapid proliferation of camera technologies makes today's cameras beyond human vision. Although these cameras have a primarily goal to enforce public safety, the dark side of camera surveillance is often discussed. One could argue that such camera appearance affects human behavior. The current article reports how cameras influence people's behavior. Our findings are based on a set of exploratory studies. In line with other studies, we find that cameras do influence the behavior of people, and more surprisingly, they evoke emotions. On the basis of our findings, we discuss the potentials and pitfalls of the use of cameras in the public domain and propose a `Big Sister' design approach to enhance public safety that brings value to the citizens and enlightens the dark side of camera surveillance. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • User study of the improved Helios voting system interfaces

    Publication Year: 2011 , Page(s): 37 - 44
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1573 KB) |  | HTML iconHTML  

    There is increasing interest in cryptographic verifiability in remote electronic voting schemes. Helios is one example of an open-source implementation. In previous work, we proposed an improved version of the original Helios interface in version 3.1 for vote casting and individual verifiability. We now test this interface in a mock mayoral election set up with 34 users. Users are given instructions and fill out questionnaires before and after the vote casting process. Data on mouse movements and time is collected and a modified helmet with eye tracking lenses is used to capture eye movement data. The study shows that the interface is easy to use while people have difficulty understanding the motivation for and the concept of verifiability. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Information security management systems and socio-technical walkthroughs

    Publication Year: 2011 , Page(s): 45 - 51
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1583 KB) |  | HTML iconHTML  

    Information Security Management is related to the design of socio-technical work processes. The development and reflection of this kind of processes can be supported with the field-tested method of the socio-technical walkthrough (STWT). Within a project of raising security standards for a university administration infrastructure, STWT was combined with common ISMS methodology. During this project we found indicators for improvement by employing the STWT: technical and organizational measures can be specified in a single effort; contingent relationships can be taken into account as well as vulnerability resulting from characteristics of social structures. Furthermore switching between different levels of abstraction, details and formalization is possible. STWT helps to develop artifacts which support a focused discussion as well as an appropriate documentation. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • On-line trust perception: What really matters

    Publication Year: 2011 , Page(s): 52 - 59
    Cited by:  Papers (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (3013 KB) |  | HTML iconHTML  

    Trust is an essential ingredient in our daily activities. The fact that these activities are increasingly carried out using the large number of available services on the Internet makes it necessary to understand how users perceive trust in the online environment. A wide body of literature concerning trust perception and ways to model it already exists. A trust perception model generally lists a set of factors influencing a person trusting another person, a computer, or a website. Different models define different set of factors, but a single unifying model, applicable to multiple scenarios in different settings, is still missing. Moreover, there are no conclusions on the importance each factor has on trust perception. In this paper, we review the existing literature and provide a general trust perception model, which is able to measure the trustworthiness of a website. Such a model takes into account a comprehensive set of trust factors, ranking them based on their importance, and can be easily adapted to different application domains. A user study has been used to determine the importance, or weight, of each factor. The results of the study show evidence that such weight differs from one application domain (e.g. e-banking or e-health) to another. We also demonstrate that the weight of certain factors is related to the users knowledge in the IT Security field. This paper constitutes a first step towards the ability to measure the trustworthiness of a website, helping developers to create more trustworthy websites, and users to make their trust decisions when using on-line services. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Trustworthy and effective communication of cybersecurity risks: A review

    Publication Year: 2011 , Page(s): 60 - 68
    Cited by:  Papers (4)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1089 KB) |  | HTML iconHTML  

    Slowly but surely, academia and industry are fully accepting the importance of the human element as it pertains to achieving security and trust. Undoubtedly, one of the main motivations for this is the increase in attacks (e.g., social engineering and phishing) which exploit humans and exemplify why many authors regard them as the weakest link in the security chain. As research in the socio-technical security and trust fields gains momentum, it is crucial to intermittently pause and reflect on their progress while also considering related domains to determine whether there are any established principles which may be transferred. Comparison of the states-of-the-arts may assist in planning work going forward and identifying useful future directions for the less mature socio-technical field. This paper seeks to fulfil several of these goals, particularly as they relate to the emerging cybersecurity-risk communication domain. The literature reviews which we conduct here are beneficial and indeed noteworthy as they pull together a number of the key aspects which may affect the trustworthiness and effectiveness of communications on cybersecurity risks. In particular, we draw on information-trustworthiness research and the established field of risk communication. An appreciation of these aspects and precepts is imperative if systems are to be designed that play to individuals' strengths and assist them in maintaining security and protecting their applications and information. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.