WOSIS 2013 Abstracts


Full Papers
Paper Nr: 4
Title:

Use of a Duplex Construction of SHA-3 for Certificate Revocation in VANETs

Authors:

F. Martín-Fernández , P. Caballero-Gil and C. Caballero-Gil

Abstract: This work describes the application of a version of the new standard SHA-3 to improve the performance of certificate revocation in Vehicular Ad-hoc NETworks (VANETs). In particular, it proposes the use of a duplex construction instead of the sponge one present in the SHA-3 version of the Keccak hash function, combined with a dynamic authenticated data structure based on k-ary trees that allows taking advantage of such a construction. Besides, a new scheme for authenticated encryption is also introduced to ensure integrity, authenticity and privacy of an auxiliary structure used to link the ordered identifier in the k-ary tree with the corresponding certificate serial number. This is an ongoing work, and the implementation of a prototype based on smartphones is being developed.

Paper Nr: 9
Title:

Case Study Role Play for Risk Analysis Research and Training

Authors:

Lisa Rajbhandari and Einar Arthur Snekkenes

Abstract: Typically, a risk analysis may identify and document sensitive and confidential information regarding threats, vulnerabilities, assets and their valuation, etc. The intrusive nature of the risk analysis process makes it difficult for researchers (or students) to gain access to scenarios from operational organizations for evaluating (or training on) risk analysis methods. In order to resolve these issues, we propose Case Study Role Play (CSRP).We elaborate the use of CSRP in combination with the Conflicting Incentives Risk Analysis (CIRA) method to analyze privacy risks to an end-user from using the eGovernment service. This paper contributes by demonstrating how CSRP helps to establish a platform for doing risk management related research and training in a ‘reasonably’ realistic environment, where confidentiality, sensitivity issues, red tape and the need for permissions do not create roadblocks. Furthermore, CSRP ensures that the time and resources needed to set up the required environment is low and predictable.

Paper Nr: 11
Title:

Introducing a Security Governance Framework for Cloud Computing

Authors:

Oscar Rebollo, Daniel Mellado and Eduardo Fernández-Medina

Abstract: The cloud computing paradigm provides a more efficient way in which to provide IT services, introducing on-demand services and flexible computing resources. The adoption of these cloud services is being hindered by the security issues that arise with this new environment. A global security solution, which deals with the specific particularities of the cloud paradigm, is therefore needed, and literature fails to report on such a solution. As a consequence, in this paper we propose a novel security governance framework focused on the cloud computing environment (ISGcloud). This framework is founded upon two main standards: on the one hand, we implement the core governance principles of the ISO/IEC 38500 governance standard; and on the other hand, we propose a cloud service lifecycle based on the ISO/IEC 27036 outsourcing security draft. The paper includes an overview of the framework and the description of a collection of activities and their related tasks.

Paper Nr: 12
Title:

On the Impact of Concurrency for the Enforcement of Entailment Constraints in Process-driven SOAs

Authors:

Thomas Quirchmayr and Mark Strembeck

Abstract: Entailment constraints, such as mutual exclusion or binding constraints, are an important means to specify and enforce business processes. However, the inherent concurrency of a distributed system may lead to omission. Such failures impact the enforcement of entailment constraints in a process-driven SOA. In particular, the impact of these failures as well as the corresponding countermeasures depend on the architecture of the respective process engine. In this paper, we discuss the impact of omission failures on the enforcement of entailment constraints in process-driven SOAs. In this context, we especially consider if the respective process engine acts as an orchestration engine or as a choreography engine.

Paper Nr: 13
Title:

IBE Extension for HIP

Authors:

Amir K.C., Harri Forsgren, Kaj Grahn, Timo Karvi and Göran Pulkkis

Abstract: This article explores the possibilities to replace RSA public key identities and X.509 certificates with any unique identities and identity-based encryption (IBE) in the Base Exchange of the Host Identity Protocol (HIP). We have analysed the technical and trust-related details when applying IBE in HIP. These details include, for example, how to insert the IBE parameters into HIP packets and how to guarantee their correctness. We have extended OpenHIP v0.7 software with capabilities for X.509 certified RSA-based Host Identities, for trusted IBE-based Host Identities, and for IBE signatures in HIP messages.We have also measured HIP message times in the Base Exchange. These measurements show that the basic IBE solution is rather slow compared to RSA solution with certificates. However, if applications are such that it is necessary to check revocation lists often, the IBE solution is feasible.

Paper Nr: 16
Title:

Is Usability an Obstacle for Information Systems Security?

Authors:

Laura Zapata, Ana Mª Moreno and Eduardo Fernandez-Medina

Abstract: Keeping information systems secure is costly. Organizations allocate financial and human resources in order to prevent security incidents having an impact on software applications. There is evidence that information systems security has in some cases been affected by human errors that might be caused by a poor usability design. There is clearly a link between security and usability. To clarify this, we have conducted a systematic mapping study of the literature produced over the last decade.We identified five relationship types: inverse, direct, relative, one-way inverse, and no-relationship. Most authors agree that there is an inverse relationship between security and usability, which means that increasing usability leads to a decrease in security issues in a product and vice versa. However, this is not a unanimous finding, and this study unveils a number of open questions, like application domain dependency and the need to explore lower level relationships between attribute sub-characteristics.

Paper Nr: 18
Title:

XACML and Risk-Aware Access Control

Authors:

Liang Chen, Luca Gasparini and Timothy J. Norman

Abstract: Risk-aware access control (RAAC) has shown promise as an approach to addressing the increasing need to share information securely in dynamic environments. For such models to realise their promise, however, principled, standard-based software engineering methods are essential. XACML is an XML-based OASIS standard for the specification and evaluation of access control policies. In this paper we explore the use of XACML as a means of implementing RAAC. We abstract core components of RAAC relevant to risk management, and show how these may be implemented using standard XACML features.

Paper Nr: 19
Title:

A Model Driven Approach for Automatically Improving OLAP Legacy Applications with Security

Authors:

Carlos Blanco, Eduardo Fernández-Medina and Juan Trujillo

Abstract: The majority of the organizations store its historical business information in Data Warehouses (DW) which are queried to make strategic decisions by using On-Line Analytical Processing (OLAP) tools. This information has to be correctly assured for unauthorized accesses, but nevertheless there are a great amount of legacy OLAP applications that have been developed without considering security aspects or these have been incorporated once the system was implemented. This work defines a reverse engineering process that allows us to obtain the conceptual model corresponding to a legacy OLAP application, and also analyses and represents the security aspects that could have established. This process has been aligned with a model driven architecture for developing secure OLAP applications by defining the transformations needed to automatically apply it. Once the conceptual model has been extracted, it can be easily modified and improved with security, and automatically transformed to generate the new implementation.

Short Papers
Paper Nr: 6
Title:

Information Security in Business Intelligence based on Cloud: A Survey of Key Issues and the Premises of a Proposal

Authors:

Elena Jaramillo, Manuel Munier and Philippe Aniorté

Abstract: More sophisticated inter-organizational interactions have generated changes in the way in which organizations make business. Advanced forms of collaborations, such as Business Process as a Service (BPaaS), allow different partners to leverage business intelligence within organizations. However, although it presents powerfull economical and technical benefits, it also arrises some pitfalls about data security, especially when it is mediated by the cloud. In this article, current aspects which have been tackled in the literature related to data risks and accountability are presented. In addition, some open issues are also presented from the analysis of the existing methodologies and techniques proposed in the literature. A final point is made by proposing an approach, which aims at preventive, detective and corrective accountability and data risk management, based on usage control policies and model driven engineering.

Paper Nr: 7
Title:

A Multi-version Database Damage Assessment Model

Authors:

Kranthi Kurra, Brajendra Panda and Yi Hu

Abstract: Unauthorized data access and malicious data corruption can have very deleterious impact on an organization. To minimize the effect fast and accurate damage assessment and appropriate recovery must be performed as soon as such an attack is detected. This research focuses on damage assessment procedures using multi-version data in the Database System. By utilizing the proposed multi-version data scheme, it is possible to eliminate the impact of malicious database transactions by providing appropriate versions of data items to transactions during damage assessment procedure.