Adaptive User-Centered Security

  • Sven Wohlgemuth
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8708)

Abstract

One future challenge in informatics is the integration of humans in an infrastructure of data-centric IT services. A critical activity of this infrastructure is trustworthy information exchange to reduce threats due to misuse of (personal) information. Privacy by Design as the present methodology for developing privacy-preserving and secure IT systems aims to reduce security vulnerabilities already in the early requirement analysis phase of software development. Incident reports show, however, that not only an implementation of a model bears vulnerabilities but also the gap between rigorous view of threat and security model on the world and real view on a run-time environment with its dependencies. Dependencies threaten reliability of information, and in case of personal information, privacy as well. With the aim of improving security and privacy during run-time, this work proposes to extend Privacy by Design by adapting an IT system not only to inevitable security vulnerabilities but in particular to their users’ view on an information exchange and its IT support with different, eventually opposite security interests.

Keywords

Security privacy usability resilience identity management 
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    acatech. Cyber-Physical Systems. Driving force for innovation in mobility, health, energy and production. acatech - National Academy of Science and Engineering, acatech POSITION PAPER (2011)Google Scholar
  2. 2.
    Accorsi, R.: A secure log architecture to support remote auditing. Mathematical and Computer Modelling 57, 1578–1591 (2013)CrossRefGoogle Scholar
  3. 3.
    Accorsi, R., Lehmann, A., Lohmann, N.: Information leak detection in business process models: Theory, application, and tool support. Information Systems (2014)Google Scholar
  4. 4.
    Alpern, B., Schneider, F.B.: Defining Liveness. Information Processing Letters 21(4), 181–185 (1985)CrossRefMATHMathSciNetGoogle Scholar
  5. 5.
    Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. John Wiley & Sons (2008)Google Scholar
  6. 6.
    Avižienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)CrossRefGoogle Scholar
  7. 7.
    Blaze, M., Feigenbaum, J., Lacy, J.: Distributed Trust Management. In: IEEE Symposium on Security and Privacy, pp. 164–173. IEEE Computer Society (1996)Google Scholar
  8. 8.
    Camenisch, J.L., Lysyanskaya, A.: An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Chaum, D.: Security without Identification: Transaction Systems to make Big Brother Obsolete. CACM 28(10), 1030–1044 (1985)CrossRefGoogle Scholar
  10. 10.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. Journal of Computer Security 18(6), 1157–1210 (2010)CrossRefGoogle Scholar
  11. 11.
    Court of Justice of the European Union. Judgment of the Court (Grand Chamber) of 13 May 2014 (request for a preliminary ruling from the Audiencia Nacional – Spain) – Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez, Case C-131/12 (2014)Google Scholar
  12. 12.
    De Keukelaere, F., Yoshihama, S., Trent, S., Zhang, Y., Luo, L., Zurko, M.E.: Adaptive Security Dialogs for Improved Security Behaviors of Users. In: Gross, T., Gulliksen, J., Kotzé, P., Oestreicher, L., Palanque, P., Prates, R.O., Winckler, M. (eds.) INTERACT 2009. LNCS, vol. 5726, pp. 510–523. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Dekker, M., Karsberg, C., Lakka, M.: Annual Incident Reports 2012 – Analysis of Article 13a incident reports. European Union Agency for Network and Communication Security, ENISA (2013)Google Scholar
  14. 14.
    DIVSI Deutsches Institut für Vertrauen und Sicherheit im Internet. DIVSI Milieu Study on Trust and Security on the Internet – Condensed version (2012)Google Scholar
  15. 15.
    Dolev, D., Yao, A.C.: On the Security of Public Key Protocols. In: SFCS 1981, pp. 350–357. IEEE Computer Society (1981)Google Scholar
  16. 16.
    Eckert, C.: IT-Sicherheit: Konzepte, Verfahren, Protokolle, 8th edn., Oldenbourg (2013)Google Scholar
  17. 17.
    Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones. CACM 57(3), 99–106 (2014)CrossRefGoogle Scholar
  18. 18.
    European Commission. Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services. Official Journal of the European Communities, L 337, 37–69 (2009)Google Scholar
  19. 19.
    Executive Office of the President. Big Data: Seizing Opportunities, Preserving Values. The White House (2014)Google Scholar
  20. 20.
    Federal Office for Information Security (BSI). The IT Security Situation in Germany in 2011 (2011)Google Scholar
  21. 21.
    Gamma, E., Helm, R., Johnson, R.E., Vlissides, J.: Design Patterns. Elements of Reusable Object-Oriented Software. Prentice Hall (1994)Google Scholar
  22. 22.
    Gerd tom Markotten, D.: User-Centered Security Engineering. In: 4th EurOpen/USENIX Conference – NordU (2002)Google Scholar
  23. 23.
    Gerd tom Markotten, D., Wohlgemuth, S., Müller, G.: Mit Sicherheit zukunftsfähig. PIK Sonderheft Sicherheit 26(1), 5–14 (2003)Google Scholar
  24. 24.
    Gilliot, M., Matyas, V., Wohlgemuth, S.: Privacy and Identity. In: Rannenberg, K., Royer, D., Deuker, A. (eds.) The Future of Identity in the Information Society (FIDIS) – Challenges and Opportunities. Springer, Heidelberg (2009)Google Scholar
  25. 25.
    Holzinger, K., Holzinger, A., Safran, C., Koiner, G., Weippl, E.: Use of Wiki Systems in Archaeology: Privacy, Security and Data Protection as Key Problems. IEEE ICE-B 2010 - ICETE, 120–123 (2010)Google Scholar
  26. 26.
    Holzinger, A., Struggl, K.-H., Debevc, M.: Applying Model-View-Controller (MVC) in Design and Development of Information Systems: An example of smart assistive script breakdown in an e-Business Application. In: IEEE ICE-B 2010 - ICETE, pp. 63–68 (2010)Google Scholar
  27. 27.
    Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability Classes for Enforcement Mechanisms. ACM Transactions on Programming Languages and Systems 28(1), 175–205 (2006)CrossRefGoogle Scholar
  28. 28.
    Jendricke, U., Gerd tom Markotten, D.: Usability Meets Security – the Identity-Manager As Your Personal Security Assistant for the Internet. In: ACSAC 2000, pp. 344–354. IEEE Computer Society (2000)Google Scholar
  29. 29.
    Kajiyama, T., Echizen, I.: Evaluation of an Improved Visualization System for Helping Children Identify Risky Websites. In: ARES 2012, pp. 495–498. IEEE Computer Society (2012)Google Scholar
  30. 30.
    Karjoth, G., Schunter, M.: A Privacy Model for Enterprises. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, CSFW 2002, pp. 271–281. IEEE Computer Society (2002)Google Scholar
  31. 31.
    Kieseberg, P., Hobel, H., Schrittwieser, S., Weippl, E., Holzinger, A.: Protecting Anonymity in the Data-Driven Medical Sciences. In: Holzinger, A., Jurisica, I. (eds.) Knowledge Discovery and Data Mining. LNCS, vol. 8401, pp. 301–316. Springer, Heidelberg (2014)Google Scholar
  32. 32.
    Kieseberg, P., Schrittwieser, S., Mulazzani, M., Echizen, I., Weippl, E.: An algorithm for collusion-resistant anonymization and fingerprinting of sensitive microdata. Special issue Security and Privacy in Business Processes 24(2) (2014)Google Scholar
  33. 33.
    Maurer, U.: Modeling a Public-Key Infrastructure. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 325–350. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  34. 34.
    Miettinen, M., Heuser, S., Kronz, W., Sadeghi, A.-R., Asokan, N.: ConXsense – Context Profiling and Classification for Context-Aware Access Control. In: ASIACCS 2014. ACM (2014)Google Scholar
  35. 35.
    Mulliner, C., Robertson, W., Kirda, E.: Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces. In: IEEE Symposium on Security and Privacy 2014, pp. 149–162. IEEE Computer Society (2014)Google Scholar
  36. 36.
    Otto, B., Lee, Y.W., Caballero, I.: Information and data quality in business networking: a key concept for enterprises in its early stages of development. Electronic Markets 21(2), 83–97 (2011)CrossRefGoogle Scholar
  37. 37.
    Orman, H., Schroeppel, R.: Positive Feedback and the Madness of Crowds. In: Proceedings of the 1996 Workshop on New Security Paradigms, pp. 134–138 (1996)Google Scholar
  38. 38.
    Patrick, A.S., Briggs, P., Marsh, S.: Designing Systems That People Will Trust. Security and Usability: Designing Secure Systems that People Can Use. O’Reilly (2005)Google Scholar
  39. 39.
    Pineda, L.A., Meza, I.V., Salinas, L.: Dialogue Model Specification and Interpretation for Intelligent Multimodal HCI. In: Kuri-Morales, A., Simari, G.R. (eds.) IBERAMIA 2010. LNCS, vol. 6433, pp. 20–29. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  40. 40.
    Rannenberg, K., Pfitzmann, A., Müller, G.: IT Security and Multilateral Security. Multilateral Security in Communications – Technology, Infrastructure, Economy, 21–29 (1999)Google Scholar
  41. 41.
    Rechert, K., von Suchodoletz, D., Valizada, I., Cardenas, T.J., Kulzhabayev, A.: Take care of your belongings today – securing accessibility to complex electronic business processes. Special issue Security and Privacy in Business Processes 24(2) (2014) (Electronic Markets)Google Scholar
  42. 42.
    Riemer, K., Steinfeld, C., Vogel, D.: eCollaboration: On the nature and emergence of communication and collaboration technologies. Electronic Markets 19(4), 181–188 (2009)CrossRefGoogle Scholar
  43. 43.
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  44. 44.
    Sonehara, N., Echizen, I., Wohlgemuth, S.: Isolation in Cloud Computing and Privacy-Enhancing Technologies – Suitability of Privacy-Enhancing Technologies for Separating Data Usage in Business Processes. Special focus Sustainable Cloud Computing of Business Information Systems Engineering (BISE) 3(3), 155–162 (2011)Google Scholar
  45. 45.
    Wahlster, W., Müller, G.: Placing Humans in the Feedback Loop of Social Infrastructures – NII Research Strategies on Cyber-Physical Systems. Informatik Spektrum 36(6), 520–529 (2013)CrossRefGoogle Scholar
  46. 46.
    Waidner, M.: Open Issues in Secure Electronic Commerce (1998)Google Scholar
  47. 47.
    Wang, Q., Li, N.: Satisfiability and Resiliency in Workflow Authorization Systems. ACM Transactions on Information and System Security 13(4), 40:1–40:35 (2010)Google Scholar
  48. 48.
    Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information Accountability. CACM 51(6), 82–87 (2008)CrossRefGoogle Scholar
  49. 49.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A Usability Evaluation of PGP 5.0. In: SSYM 1999. USENIX Association (1999)Google Scholar
  50. 50.
    Wohlgemuth, S., Gerd, D.: DFG-Schwerpunktprogramm Sicherheit in der Informations- und Kommunikationstechnik. IT – Information Technology 45(1), 46–54 (2003)Google Scholar
  51. 51.
    Wohlgemuth, S., Echizen, I., Sonehara, N., Müller, G.: Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy. In: 25th IFIP International Information Security Conference Security & Privacy – Silver Linings in the Cloud, SEC 2010. IFIP AICT, vol. 330, pp. 241–252 (2010)Google Scholar
  52. 52.
    Wohlgemuth, S.: Resilience as a new Enforcement Model for IT Security based on Usage Control. In: 5th International Workshop on Data Usage Management, IEEE CS Security & Privacy Workshop (SPW 2014) within 35th IEEE Symposium on Security and Privacy, S&P 2014. IEEE Computer Society (2014)Google Scholar
  53. 53.
    Wohlgemuth, S., Sackmann, S., Sonehara, N.: Security and Privacy in Business Networking. Special issue ‘Security and Privacy in Business Networking’ of Electronic Markets 24(2) (2014)Google Scholar
  54. 54.
    Zurko, M.E.: User-Centered Security: Stepping Up to the Grand Challenge. In: Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 187–202. IEEE Computer Society (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Sven Wohlgemuth
    • 1
  1. 1.Center for Advanced Security Research Darmstadt (CASED)DarmstadtGermany

Personalised recommendations