Erlend Andreas Gjære

Representing Threats in BPMN 2.0

The Business Process Modeling Notation (BPMN) has become a broadly accepted standard for process modeling, but is mostly being used to express the normal execution flow of business processes. In some situations there is also a need to express threats and unwanted incidents on that same abstraction level, for example to show how deviations from normal process flow should be handled. Enriching BPMN with threat information enables a process-centric threat modeling approach that complements risk assessment and attack scenarios. Though there has been a substantial amount of work enhancing BPMN 1.x with security related information, the opportunities provided by version 2.0 have not received a lot of attention in the security community. This paper shows several options and the benefit of representing threats in BPMN 2.0 for design-time specification and runtime execution of composite services with dynamic behavior. Our goal is to avoid downtime and preserve the overall security and trustworthiness of the composite service in an ever-changing Internet of Services. We have included examples showing the use of error events, escalation events and text annotations for process, collaboration, choreography and conversion diagrams.

Designing privacy-friendly digital whiteboards for mediation of clinical progress

BackgroundIn hospitals, digital versions of dry-erase whiteboards are increasingly becoming more common. One of the purposes with such whiteboards is to support coordination of care by augmenting visibility and availability of clinical information. However, clinical information usually concerns patients and is regarded as sensitive personal health information, meaning that it should be access controlled. The purpose of this study is to explore how digital whiteboards can be designed for supporting coordination of care, by providing clinicians with useful information in a usable way, and at the same time protect patient privacy.MethodsA demo application was designed, demonstrated and evaluated iteratively. In total, 15 professional ward nurses role-played a scenario in which the application played a central part. Afterwards, the participants were interviewed. All interviews were recorded, transcribed verbatim, and analysed qualitatively.ResultsThe participants valued having updated clinical information presented on a digital whiteboard, even if the information was de-identified and abstracted. According to the participants, such information could possibly improve inter-departmental communication, reduce the number of electronic health record-logins, and make nurses more rapidly aware of new information. The participants expected that they would be able to re-identify much of the de-identified information in real situations based on their insight into their patients’ recent and expected care activities. Moreover, they also valued being able to easily access more detailed information and verify patient identities. While abstraction and de-identification was regarded to sufficiently protect the patients’ privacy, the nurses also pointed out the importance of having control over what can be seen by other patients and passers-by if detailed medical information was accessed on a digital whiteboard.ConclusionsPresenting updated information from patient care activities on a digital whiteboard in a de-identified and abstracted format may support coordination of care at a hospital ward without compromising patient privacy.

Personal health information on display: balancing needs, usability and legislative requirements.

Large wall-mounted screens placed at locations where health personnel pass by will assist in self-coordination and improve utilisation of both resources and staff at hospitals. The sensitivity level of the information visible on these screens must be adapted to a close-to-public setting, as passers-by may not have the right or need to know anything about patients being treated. We have conducted six informal interviews with health personnel in order to map what kind of information they use when identifying their patients and their next tasks. We have compared their practice and needs to legislative requirements and conclude that it is difficult, if not impossible, to fulfil all requirements from all parties.

A risk-based evaluation of group access control approaches in a healthcare setting

This paper focuses on access control approaches usable for information sharing through large screens where several individuals are present at the same time. Access control in this setting is quite different from traditional systems where a user logs on to the system. The paper outlines a number of possible approaches to access control, and evaluates them based on criteria derived from risk analyses of a planned coordination system for the perioperative hospital environment. It concludes that future work should focus on extending the location-based approach with situation awareness, and add support for using pop-ups or handheld devices for sharing of the most sensitive information.

The Use and Usefulness of Threats in Goal-Oriented Modelling

Both goal and threat modelling are well-known activities related to high-level requirements engineering. While goals express why a system is needed, threats tell us why security for our system is needed. Still, you will often find that goals and threats are treated in separate modelling processes, perhaps not being influenced by each other at all. The research question we try to address in here is to what extent should we include threats in goal-oriented modelling? There is for instance a trade-off between expressiveness, usability and usefulness that must be considered. To improve this situation we believe that a well-defined methodology with good tool support will make the modelling process easier, and give a more useful result. In this paper we first give an overview of previous work on the use of threats within goal-modelling. We explain the use of threats within a goal-oriented socio-technical security modelling language and how tool support enables reuse of threats and automatic analysis of threat propagation in the models. This is exemplified with a case study from Air Traffic Management (ATM) from which we extract some of the the practical challenges that we have. We are able to conclude that threats provide a useful foundation and justification for the security requirements we derive from goal modelling, but this should not be considered to be a replacement for risk assessment methods. Having goals and threats before thinking of the technical solutions of a system allows us to raise awareness on situations that are not just exceptions from regular execution flow.

Security Incident Information Exchange for Cloud Services

The complex provider landscape in cloud computing makes incident handling difficult, as Cloud Service Providers (CSPs) with end-user customers do not necessarily get sufficient information about incidents that occur at upstream CSPs. In this paper, we argue the need for commonly agreed-upon incident information exchanges between providers as a means to improve accountability of CSPs. The discussion considers several technical challenges and non-technical aspects related to improving the situation for incident response in cloud computing scenarios. In addition, we propose a technical implementation which can embed standard representation formats for incidents in notification messages, built over a publish-subscribe architecture, and a web-based dashboard for handling the incident workflow.

Healthcare Services in the Cloud - Obstacles to Adoption, and a Way Forward

Cloud computing has been receiving a great deal of attention during the past few years. A major feature of public cloud services is that data are processed remotely in unknown systems that the users do not own or operate. This context creates a number of challenges related to data privacy and security and may hinder the adoption of cloud technology in, for example, the healthcare domain. This paper presents results from a stakeholder elicitation activity, in which the participants identified a number of obstacles to the adoption of cloud computing for the processing of healthcare data. We compare our results with previous studies and outline accountability as a possible way forward to increase the adoption of cloud services in the healthcare domain.

Differentiating Cyber Risk of Insurance Customers: The Insurance Company Perspective

As a basis for offering policy and setting tariffs, cyber-insurance carriers need to assess the cyber risk of companies. This paper explores the challenges insurance companies face in assessing cyber risk, based on literature and interviews with representatives from insurers. The interview subjects represent insurance companies offering cyber-insurance in a market where this is a new and unknown product. They have limited historical data, with few examples of incidents leading to payout. This lack of experience and data, together with the need for an efficient sales process, highly impacts their approach to risk assessment. Two options for improving the ability to perform thorough yet efficient assessments of cyber risk are explored in this paper: basing analysis on reusable sector-specific risk models, and including managed security service providers (MSSPs) in the value chain.

Threats Management Throughout the Software Service Life-Cycle.

Software services are inevitably exposed to a fluctuating threat picture. Unfortunately, not all threats can be handled only with preventive measures during design and development, but also require adaptive mitigations at runtime. In this paper we describe an approach where we model composite services and threats together, which allows us to create preventive measures at design-time. At runtime, our specification also allows the service runtime environment (SRE) to receive alerts about active threats that we have not handled, and react to these automatically through adaptation of the composite service. A goal-oriented security requirements modelling tool is used to model business-level threats and analyse how they may impact goals. A process flow modelling tool, utilising Business Process Model and Notation (BPMN) and standard error boundary events, allows us to define how threats should be responded to during service execution on a technical level. Throughout the software life-cycle, we maintain threats in a centralised threat repository. Re-use of these threats extends further into monitoring alerts being distributed through a cloud-based messaging service. To demonstrate our approach in practice, we have developed a proof-of-concept service for the Air Traffic Management (ATM) domain. In addition to the design-time activities, we show how this composite service duly adapts itself when a service component is exposed to a threat at runtime.

Threat Analysis in Goal-Oriented Security Requirements Modelling

Goal and threat modelling are important activities of security requirements engineering: goals express why a system is needed, while threats motivate the need for security. Unfortunately, existing approaches mostly consider goals and threats separately, and thus neglect the mutual influence between them. In this paper, the authors address this deficiency by proposing an approach that extends goal modelling with threat modelling and analysis. The authors show that this effort is not trivial and a trade-off between visual expressiveness, usability and usefulness has to be considered. Specifically, the authors integrate threat modelling with the socio-technical security modelling language (STS-ml), introduce automated analysis techniques that propagate threats in the combined models, and present tool support that enables reuse of threats facilitated by a threat repository. The authors illustrate their approach on a case study from the Air Traffic Management (ATM) domain, from which they extract some practical challenges. The authors conclude that threats provide a useful foundation and justification for the security requirements that the authors derive from goal modelling, but this should not be considered as a replacement to risk assessment. The usage of goals and threats early in the development process allows raising awareness of high-level security issues that occur regardless of the chosen technology and organizational processes.