Mortaza S. Bargh

Privacy and Security in Smart Data Collections by Citizens

The question of how to make a city or government better by exploiting information and communication infrastructures, referred to as smart city, entails an emerging field of research. Large quantities of data are generated from these infrastructures and infusing these data into the physical infrastructure of a city or government may lead to better services to citizens. Collecting and processing of such data, however, may result in privacy and security issues that should be faced appropriately to create a sustainable approach for smart cities and governments. In this chapter, we focus on data collection through crowdsourcing with smart devices and identify the corresponding security and privacy issues in the context of enabling smart cities and governments. We categorize these issues in four classes. For each class, we identify a number of threats as well as solution directions for these threats.

Privacy protection in data sharing: towards feedback based solutions

Sharing data is gaining importance in recent years due to proliferation of social media and a growing tendency of governments to gain citizens trust through being transparent. Data dissemination, however, increases chance of compromising privacy sensitive data, which undermines trust of data subjects (e.g., users and citizens). Data disseminators are morally, ethically, and legally responsible for any misuse of the disseminated data. Therefore, privacy enhancement techniques are often used to prevent unsavory disclosure of personal data. Data recipients, nevertheless, are sometimes able to derive (part of) privacy sensitive information by, for example, fusing the shared data with other data. This can be considered as a sort of data misuse. In this contribution, we investigate how having a feedback from data recipients to data disseminators is instrumental for detecting such data misuses (i.e., privacy breaches). We also elaborate on using feedback for defining and deriving context-dependent privacy-preferences of data disseminators. In this case, feedback acts as a means of privacy prevention. We provide a categorization of existing feedback based solutions and, in addition, describe our implementation of a feedback-based data dissemination solution in an eGovernment setting. Finally, we elaborate on the importance of real-time partial feedback mechanisms, as a rising and promising solution direction for preserving privacy.

A Study of Preventing Email (Spear) Phishing by Enabling Human Intelligence

Cyber criminals use phishing emails in high-volume and spear phishing emails in low volume to achieve their malicious objectives. Hereby they inflict financial, reputational, and emotional damages on individuals and organizations. These (spear) phishing attacks get steadily more sophisticated as cyber criminals use social engineering tricks that combine psychological and technical deceptions to make malicious emails as trustworthy as possible. Such sophisticated (spear) phishing emails are hard for email protection systems to detect. Security researchers have studied users ability to perceive, identify and react upon email (spear) phishing attacks. In this study we have surveyed recent works on understanding how to prevent end-users from falling for email (spear) phishing attacks. Based on the survey we design and propose a novice method that combines interaction methods of reporting, blocking, warning, and embedded education to harness the intelligence of expert and novice users in a corporate environment in detecting email (spear) phishing attacks. We evaluate the design based on a qualitative study, in three experimental steps, by using a mockup prototype, and with 24 participants. We report on the insights gained, indicating that the proposed combination of the interaction methods is promising, and on future research directions.

Exploring a Warrior Paradigm to Design Out Cybercrime

Cyber crime increases with the advent of new online Internet services (e.g., entertainment, commerce, payment, pubic administration, social networking services). Not only do cyber criminals target governmental or public institutions, they increasingly victimize individuals and smaller organizations. At the same time, we observe that individuals and organizations steadily join forces and take a more proactive and collaborative role in war against cyber crime. In the current work we investigate examples of rising security incidents, new information security solutions and new cyber crime legislations, and elaborate upon some mismatches that exist among them. We particularly elaborate upon (the potential of) the collaborative initiatives that allow individuals to join forces and disclose cyber crime threats. We identify and/or outline a number of the research directions in legislation, social and technical arenas.

On Usage Control in Relational Database Management Systems - Obligations and Their Enforcement in Joining Datasets

When datasets are collected and accessed legitimately, they must still be used appropriately according to policies, guidelines, rules, laws, and/or the (current) preferences of data subjects. Any inconsistency between the data collection and data usage processes can conflict with many principles of privacy like the transparency principle, no secondary use principle, or intended purpose usage principle. In this contribution we show how the usage control for the inner join operation in vertically separated relational datasets can be characterized as pre and post obligations of the Usage Control (UCON) model. This type of obligations is defined not only by the state of the UCON object (i.e., a dataset) itself, but also with respect to the state of another dataset. Such dependency on two datasets/objects provides a new insight in UCON obligation constructs when applied to the join operation. We describe also a mechanism to realize the identified obligation in a database management system.

Research skills for software engineering undergraduates in dutch universities of applied sciences

Undergraduate students who seek a bachelor degree in Dutch universities of applied sciences are supposed to learn also research skills so that they can provide innovative solutions to real problems of the society and businesses in their future careers. Current education and textbooks on research skills are not tuned well to software engineering disciplines. This paper describes our vision about the scope and model of the research suitable for software engineering disciplines in Dutch universities of applied sciences. Based on literature study we identify a number of research models that are commonly used in computer science. Through reviewing a number of graduation reports in our university, we further identify which of the research models are most suitable for the (graduation) projects of software engineering disciplines and also investigate their shortcomings with respect to the desired research skills. Our study reveals that the approach of most graduation works is close to the implementation-based (also called build-based or proof by example based) research model. In order to be considered as a realization of sound applied research, however, most of theses graduation works need to be improved on a number of aspects such as problem context definition, system/prototype evaluation, and critical literature study.

Exploiting Data Analytics for Social Services: On Searching for Profiles of Unlawful Use of Social Benefits

In this paper we present a data-driven profiling approach that we have adopted and implemented for a municipality. Our aim was to make profiles transparent and meaningful for citizens, policymakers and authorities so that they can validate, scrutinize and challenge the profiles. Our approach relies on a Genetic Algorithm (GA) that searches for useful and human understandable group profiles. Furthermore, we discuss some of the challenges encountered, show a selection of the profiles that were found by the GA, and discuss the necessity and a number of ways of validating these profiles in accordance with, e.g., privacy and non-discrimination laws and guidelines before using them in practice.

Exploiting Big Data for Evaluation Studies

The collection and analysis of relevant data for evaluating public policies is not a straightforward task. An important type of such studies is the so-called ex-post evaluation. The main objective of ex-post evaluations is to determine to what extent a realized intervention is successful in tackling a societal challenge, e.g., youth unemployment. At a first glance an obvious method is to collect some baseline measurements for a set of relevant variables, apply the intervention for a while and collect the new measurement values for the same set of variables. Then, comparing the measurement values of the variables before and after the intervention provides an insight into the extent of successfulness of the intervention. This, however, is only true if the ceteris paribus condition holds. In practice it is infeasible to enforce this condition for societal challenges. Often, after having the baseline measurements, several phenomena emerge that may impact the new measurements without being taken into account. This makes it difficult to determine how much of the measured differences between the values of the variables before and after the intervention should be attributed to the emerging phenomena (or the so-called counterfactuals) and how much of the differences can be attributed to the applied intervention. This paper discusses how exploiting big data may contribute to the task of elucidating the influences of counterfactuals (and interventions) in ex-post evaluation studies. The paper proposes a framework to utilize big data for accounting for the impact of emerging phenomena in ex-post evaluation studies.

Influence of Mental Models on the Design of Cyber Security Dashboards.

Governments make cyber security related policies to protect citizens’ interests and national infrastructures against cyber attacks. Cyber security related data can enable evidence based policymaking. Data visualisation via dashboards can help understanding of these cyber security data. Designing such dashboards, however, is not straightforward due to difficulty for potential dashboard users to correctly interpret the displayed information. In this contribution we investigate the use of mental models for correct interpretation of displayed information. Our research question is: How useful are mental models for designing cyber security dashboards? We qualitatively investigate the mental models of seven cyber security experts from a typical governmental organisation. This research shows how operators, analysts and managers have different cyber security mental models. Based on the insight gained on these mental models, we develop a cyber security dashboard to assess the impact of mental models on dashboard design. An experience evaluation shows that the realised dashboard is easy to understand and does not obstruct users. We, however, do not see any meaningful difference in how the experts perceive the dashboard, despite their different cyber security mental models. We propose some directions for future research on using mental models for cyber security dashboard design.

On addressing privacy in disseminating judicial data: towards a methodology

Purpose n n n n nInformation dissemination has become a means of transparency for governments to enable the visions of e-government and smart government, and eventually gain, among others, the trust of various stakeholders such as citizens and enterprises. Information dissemination, on the other hand, may increase the chance of privacy breaches, which can undermine those stakeholders’ trust and thus the objectives of transparency. Moreover, fear of potential privacy breaches compels information disseminators to share minimum or no information. The purpose of this study is to address these contending issues of information disseminations, i.e. privacy versus transparency, when disseminating judicial information to gain (public) trust. Specifically, the main research questions are: What is the nature of the aforementioned “privacy–transparency” problem and how can we approach and address this class of problems? n n n n nDesign/methodology/approach n n n n nTo address these questions, the authors have carried out an explorative case study by reconsidering and analyzing a number of information dissemination cases within their research center for the past 10 years, reflecting upon the whole design research process, consulting peers through publishing a preliminary version of this contribution and embedding the work in an in-depth literature study on research methodologies, wicked problems and e-government topics. n n n n nFindings n n n n nThe authors show that preserving privacy while disseminating information for transparency purposes is a typical wicked problem, propose an innovative designerly model called transitional action design research (TADR) to address the class of such wicked problems and describe three artifacts which are designed, intervened and evaluated according to the TADR model in a judicial research organization. n n n n nOriginality/value n n n n nClassifying the privacy transparency problem in the judicial settings as wicked is new, the proposed designerly model is innovative and the realized artifacts are deployed and still operational in a real setting.