Abstract Numerous security risks or weaknesses beset Grid systems. These risks are often well und... more Abstract Numerous security risks or weaknesses beset Grid systems. These risks are often well understood in the e-Commerce world but may be new to some Grid developers and many Grid users. This document aims to raise awareness of some of the security ...
Zenodo (CERN European Organization for Nuclear Research), Sep 23, 2022
The report is one in a series of four project reports, which focus on working towards standardisa... more The report is one in a series of four project reports, which focus on working towards standardisation of privacy risk assessment for cross-domain access and re-use of sensitive data for research purposes. This report describes how to automate privacy risk assessment by augmenting a pre-existing cybersecurity knowledgebase with privacy risk factors and then using the combined knowledge in an ISO 27005 risk assessment process using a System Security Modelling (SSM) platform. This approach allows data governance practitioners to construct a model of a system that can be used to explore threats, risks and consequences in a transparent, repeatable and efficient way. ISO 27005 is adopted as it is well established and integrating privacy risk management into a methodology that already supports cybersecurity risk management has considerable benefits. Traditionally, risk assessment is undertaken through communication and consultation with stakeholders and often requires significant expertise. Encoding privacy risk factors within a reusable knowledge base and providing a decision support tool implementing standard processes reduces the expertise needed by data governance practitioners. The process of knowledge capture and engineering is based on identifying and classifying the cause and effect relationships between the elements of risk. These elements include types of Assets, Vulnerabilities, Threats, Consequences and Controls that together define Threat Specifications and Control Strategies to address threats. New elements of each of these types have been determined specific to privacy protection from analysis of risk factors associated with the Five Safes framework.
Zenodo (CERN European Organization for Nuclear Research), Sep 23, 2022
This report summarises the results from engagement with one of the DARE UK PRiAM project's key st... more This report summarises the results from engagement with one of the DARE UK PRiAM project's key stakeholders: the general public. The aim of DARE UK PRiAM has been work towards a standard privacy risk assessment framework for those seeking to operate a secure, trusted infrastructure environment within cross-council collaborative research networks. To complement this work, understanding private individuals' perspectives on privacy and privacy risk provides a significant contribution to how to articulate to those who might engage with those services or infrastructure environments. 1 As an example federative approach see the "open, federated and interoperable technology stack for trusted research environments" and "Federated Data Analytics Infrastructure-Capability Maturity Model" outlined by Health Data Research UK (HDR UK, 2021b).
Acta Crystallographica Section A Foundations of Crystallography, 2005
Powder diffraction intensity data with asymmetric peak profiles measured with a conventional Brag... more Powder diffraction intensity data with asymmetric peak profiles measured with a conventional Bragg-Brentano diffractometer and a high-resolution synchrotron diffractometer are treated with a fast Fourier transformation method [1, 2] to obtain intensity data with symmetric peak profiles. The method is based on deconvolution of analytical expressions of the optical aberrations of the diffractometers [3-6]. The symmetrised peak profiles enable simplified analytical procedures for individual peak profile fitting, whole pattern decomposition and Rietveld refinement. The symmetrised diffraction data of fine SiC powder (JFCC, RP-2) measured with a conventional powder diffractometer has revealed a "super-Lorentzian" character of intrinsic diffraction peak profiles, which is reasonably explained by a theory for diffraction from small spherical crystallites with broad log-normal size distribution [7]. The results of a least-squares refinement applied to integrated intensity values of 42 reflections extracted from symmetrised high-resolution diffraction data of standard ZnO powder (NIST, SRM674) measured at Photon Factory in Tsukuba has been coincidence factor of R = 0.45% with reasonable structure parameters.
This paper describes a novel approach to semantic system and security modelling developed in the ... more This paper describes a novel approach to semantic system and security modelling developed in the SERSCIS project. The approach is designed to address dynamic multistakeholder systems that are composed from services at run-time. This presents several challenges for security risk modelling and management that are not well addressed by previous work. The biggest challenge is the fact that at design-time one only knows the structure but not the composition of the system, forcing an abstract modelling approach to be used. The SERSCIS approach deals with this by defining a set of OWL classes describing generic system assets, threats and security controls and the relationships between them. This dependability model captures security expertise concerning the types of threats that can arise in general and the controls that can be used to address them. An abstract system model can then be created using OWL subclasses, to capture the types of assets and their relationships in a specific system, but still without specifying how many assets, where they are deployed or what security controls they have. The resulting models can be used as inputs to run-time semantic monitoring tools, where the knowledge encoded in the abstract system model is used to automatically determine system threat activity and system vulnerabilities. The approach was validated in an Airport Collaborative Decision-Making scenario.
Page 1. Dynamic resource allocation and accounting in VOs Workpackage: 5 Grid Dynamics Author(s):... more Page 1. Dynamic resource allocation and accounting in VOs Workpackage: 5 Grid Dynamics Author(s): Sven van den Berghe Mike Surridge, Thomas Leonard Fujitsu Laboratories of Europe IT Innovation Authorized by Mike Surridge IT Innovation Doc Ref: P5.4.3 ...
A typical two-or three-year research project has an impact that is only really visible after the ... more A typical two-or three-year research project has an impact that is only really visible after the project has come to an end, at a time when there are no resources to monitor that impact. As a consequence, projects need to estimate/predict their future impact before they end. In this paper we describe the impact activity monitoring method in the FITMAN project. This method addresses the problem by accounting for actions to raise impact during a project and the planning for such actions after a project has ended. We also describe the socioeconomic impact assessment methodology created in FITMAN, showing how this links to the impact activity monitoring method. Key to both is the assessment and monitoring of impact in three different areas: industry, society and the scientific community. Each area represents different challenges and we discuss their relative value to the overall assessment. We also report on our early experiences of applying this to ten industry-led use case trials in the FITMAN project. The insights gained by applying these methodologies can be more widely applied across domains related to technology management.
The SERSCIS project aims to support the use of interconnected systems of services in Critical Inf... more The SERSCIS project aims to support the use of interconnected systems of services in Critical Infrastructure (CI) applications. The problem of system interconnectedness is aptly demonstrated by 'Airport Collaborative Decision Making' (A-CDM). Failure or underperformance of any of the interlinked ICT systems may compromise the ability of airports to plan their use of resources to sustain high levels of air traffic, or to provide accurate aircraft movement forecasts to the wider European air traffic management systems. The proposed solution is to introduce further SERSCIS ICT components to manage dependability and interdependency. These use semantic models of the critical infrastructure, including its ICT services, to identify faults and potential risks and to increase human awareness of them. Semantics allows information and services to be described in such a way that makes them understandable to computers. Thus when a failure (or a threat of failure) is detected, SER-SCIS components can take action to manage the consequences, including changing the interdependency relationships between services. In some cases, the components will be able to take action autonomously-e.g. to manage 'local' issues such as the allocation of CPU time to maintain service performance, or the selection of services where there are redundant sources available. In other cases the components will alert human operators so they can take action instead. The goal of this paper is to describe a Service Oriented Architecture (SOA) that can be used to address the management of ICT components and interdependencies in critical infrastructure systems.
Zenodo (CERN European Organization for Nuclear Research), Sep 23, 2022
Trustworthy and collaborative data sharing and re-usage for approved research purposes can help t... more Trustworthy and collaborative data sharing and re-usage for approved research purposes can help to advance public health and patient care. Data and analytics systems are changing and new ways to share and access data are emerging, including the potential for greater federation of resources and services. These changes are bringing about new and evolving risks. What remains vital is that people are protected from harms associated with data disclosure and re-use-and that public confidence and engagement in health and social care research are maintained. As such, the DARE UK PRiAM project aims to explore methods and tools that can support decisionmakers, patients and the public to assess and manage privacy risk when considering emerging data access and reusage scenarios, such as federation. This report describes privacy requirements and use cases for cross-domain access and re-use of sensitive data for research purposes, taking into consideration emerging data usage patterns and needs. This report is the first in a series of four project reports, which together focus on working towards standardisation of privacy risk assessment for cross-domain access and re-use of sensitive data for research purposes. The report specifically focuses on three main areas: • Three driver use cases are outlined as exemplars of cross-domain linkage and analysis related to public health research and integrated care. • Emerging data usage patterns and data sharing needs in operational health data networks are explored, concentrating on trusted research environments (TREs) as facilitators of federated sharing and processing of data. • Some different approaches to identifying, organising and using risk factors for privacy risk assessment are examined through a literature review. We now summarise some of the key points highlighted in this report: Outlining three driver use cases related to public health research and integrated care UK Research and Innovation (UKRI) cross council research utilising advanced analytics methods-artificial intelligence/machine learning (AI/ML)-for health and social care transformation often require data from multiple sources, including electronic health records, digital health applications and wearable technologies. As part of this project, we focus therefore on research taking place between the Medical Research Council (MRC)in relation to health, Economic and Social Research Council (ESRC)-concerning social science and social care, and Engineering and Physical Sciences Research Council (EPSRC)-with regard to computer science. Three real-world uses cases are outlined as exemplars of access and re-usage of cross-domain sensitive data:
Technology adoption is often predicted based on little information such as the Perceived ease-of-... more Technology adoption is often predicted based on little information such as the Perceived ease-of-use and the Perceived usefulness of the technology. Related constructs such as Attitude to use, Behavioral intention to use and External variables cannot be easily operationalised and so are often ignored. However, technology characteristics themselves fail to represent other factors such as potential adopter attitudes and how they react to the opportunities offered by the technology to meet their needs. In a series of three studies, qualitative methods were used to identify, validate and then exploit narrative themes. Based on the short narratives of potential adopters discussing their experiences with a set of cybersecurity tools, we are developing a small-story narrative framework to capture how they respond to the technology contextualised directly within their professional environment. Akin to concepts from adoption frameworks in healthcare intervention studies, we conclude that adopter's personal response to a technology and how they make sense of it in their environment becomes evident in the narratives they create.
Small and medium-sized enterprises (SMEs) rarely conduct a thorough cyber-risk assessment and the... more Small and medium-sized enterprises (SMEs) rarely conduct a thorough cyber-risk assessment and they may face various internal issues when attempting to set up cyber-risk strategies. In this work, we apply a user journey approach to model human behaviour and visually map SMEs' practices and threats, along with a visualisation of the socio-technical actor network, targeted specifically at the risks highlighted in the user journey. By using a combination of cybersecurity-related visualisations, our goals are: i) to raise awareness about cybersecurity, and ii) to improve communication among IT personnel, security experts, and non-technical personnel. To achieve these goals, we combine two modelling languages: Customer Journey Modelling Language (CJML) is a visual language for modelling and visualisation of work processes in terms of user journeys. System Security Modeller (SSM) is an asset-based risk-analysis tool for socio-technical systems. By demonstrating the languages' supplementary nature through a threat scenario and considering related theories, we believe that there is a sound basis to warrant further validation of CJML and SSM together to raise awareness and handle cyber threats in SMEs.
The Future Internet offers increasing opportunities for participation by private individuals, nat... more The Future Internet offers increasing opportunities for participation by private individuals, natural persons in legal terms 1. Personal access devices have not been confined to office-based personal computers for some time, and continue to evolve: computer systems grew smaller and more compact with a demand for increased portability, and personal communication devices (mobile phones) grew in storage and processing capacity as well as going beyond telecommunications to the web (smart phones) for the two to converge in tablet-type devices. On the one hand, this allows for extensive and pervasive connectivity all day, every day, for access to data and information systems, to communicate with friends, with colleagues and with businesses and government, as well as to share with the world or worlds what us going for the individual or in an individual's reaction to events or to others: the social network. On the other, this poses increasing challenges for personal privacy as well as freedom. Personal data associated with individuals should be treated with care, it can be assumed; but what happens when the data subjects themselves release such data via social networking sites (SNS)? In this report, relevant legislation surrounding the treatment of personal data is presented and reviewed. Interactions of individuals (data subjects) with online services is described against the legislative background and summary conclusions and recommendations are made directed at FI Users, FI Providers and Service and application developers. The report is divided into the following sections: Background: the legal perspective on protecting personal data outlines the legal framework in Europe for the protection of personal data, summarising the various sections of the Data Protection Directive for how such data should be handled. The reality: should we be nervous? discusses how legislation is implemented and lists areas such as unauthorised disclosure and sharing in terms of particular cases against well-known service providers. User perceptions: trust briefly reviews user attitudes to online services and how their personal data are protected. User confidence: the public domain outlines the legal basis for treating data which have been made public (such as varying sharing on public websites); and finally User profiles and data mining: derivative works looks how personal data shared via social networking sites along with records of online activity and behaviours can be used to build up profiles of end users which could well provide an unwanted perspective on a given individual. So the intention in this overview is to bring together legislative, subjective and service-oriented aspects of personal data usage as it stands today with some indicators of the challenges for those building as well as using the Future Internet.
The Real-Time Framework (RTF) is a novel development and execution platform for emerging Internet... more The Real-Time Framework (RTF) is a novel development and execution platform for emerging Internet infrastructures and applications with real-time requirements, such as distance learning and multi-player online computer games. In this paper, we describe RTF as part of the edutain@grid service architecture and explain the role distribution between the application developer and the framework. We study in detail the use of RTF for two application use cases: 1) multi-player online games running on multiple servers, and 2) distance learning with frequent interactions over a wide-area network. Then, we report experimental results on the performance and scalability of RTF-based infrastructures and applications. Finally, we formulate the advantages of RTF and the edutain@grid architecture that go beyond the state of the art in the area.
The analysis of existing software evaluation techniques reveals the need for evidence-based evalu... more The analysis of existing software evaluation techniques reveals the need for evidence-based evaluation of systems' trustworthiness. This paper aims at evaluating trustworthiness of socio-technical systems during designtime. Our approach combines two existing evaluation techniques: a computational approach and a risk management approach. The risk-based approach identifies threats to trustworthiness on an abstract level. Computational approaches are applied to evaluate the expected end-to-end system trustworthiness in terms of different trustworthiness metrics on a concrete asset instance level. Our hybrid approach, along with a complementary tool prototype, support the assessment of risks related to trustworthiness as well as the evaluation of a system with regard to trustworthiness requirements. The result of the evaluation can be used as evidence when comparing different system configurations.
The use of engineering meta-applications for activities such as design optimisation and sensitivi... more The use of engineering meta-applications for activities such as design optimisation and sensitivity analysis can provide substantial business benefits, but require significant computing resources. However, they can be made financially viable through the exploitation of software and hardware on demand business models, supported by an electronic marketplace. This paper presents an agent-based business-to-business e-commerce system that enables large-scale distributed engineering simulations using third-party resources. The system has wide applicability and can form an e-business framework for many resource-intensive applications provided by the emerging application service provision (ASP) market.
Digital health data is created, stored and processed in healthcare IT infrastructures. These infr... more Digital health data is created, stored and processed in healthcare IT infrastructures. These infrastructures are the target of large-scale cyber-attacks and are found to be vulnerable, primarily for two main reasons: the heterogeneity of infrastructure and the numerous stakeholders (medical staff, managers, patients, regulators etc.). Furthermore, the stakeholders have different attitudes, skills, awareness and data handling practices that offer many opportunities for malicious activities. Healthcare in general is characterised by a multitude of regulations and adherence to them is essential to the functioning of the system. Compliance management is usually described in terms of risks and involves activities such as risk identification, assessment and treatment. Our paper conceptualises the notion of a "compliance threat" and discusses the security of crossborder health data exchange. The paper presents the architecture of the System Security Modeller and illustrates the security risk assessment of the "break glass" scenario which requires health data communication in an emergency situation.
Abstract Numerous security risks or weaknesses beset Grid systems. These risks are often well und... more Abstract Numerous security risks or weaknesses beset Grid systems. These risks are often well understood in the e-Commerce world but may be new to some Grid developers and many Grid users. This document aims to raise awareness of some of the security ...
Zenodo (CERN European Organization for Nuclear Research), Sep 23, 2022
The report is one in a series of four project reports, which focus on working towards standardisa... more The report is one in a series of four project reports, which focus on working towards standardisation of privacy risk assessment for cross-domain access and re-use of sensitive data for research purposes. This report describes how to automate privacy risk assessment by augmenting a pre-existing cybersecurity knowledgebase with privacy risk factors and then using the combined knowledge in an ISO 27005 risk assessment process using a System Security Modelling (SSM) platform. This approach allows data governance practitioners to construct a model of a system that can be used to explore threats, risks and consequences in a transparent, repeatable and efficient way. ISO 27005 is adopted as it is well established and integrating privacy risk management into a methodology that already supports cybersecurity risk management has considerable benefits. Traditionally, risk assessment is undertaken through communication and consultation with stakeholders and often requires significant expertise. Encoding privacy risk factors within a reusable knowledge base and providing a decision support tool implementing standard processes reduces the expertise needed by data governance practitioners. The process of knowledge capture and engineering is based on identifying and classifying the cause and effect relationships between the elements of risk. These elements include types of Assets, Vulnerabilities, Threats, Consequences and Controls that together define Threat Specifications and Control Strategies to address threats. New elements of each of these types have been determined specific to privacy protection from analysis of risk factors associated with the Five Safes framework.
Zenodo (CERN European Organization for Nuclear Research), Sep 23, 2022
This report summarises the results from engagement with one of the DARE UK PRiAM project's key st... more This report summarises the results from engagement with one of the DARE UK PRiAM project's key stakeholders: the general public. The aim of DARE UK PRiAM has been work towards a standard privacy risk assessment framework for those seeking to operate a secure, trusted infrastructure environment within cross-council collaborative research networks. To complement this work, understanding private individuals' perspectives on privacy and privacy risk provides a significant contribution to how to articulate to those who might engage with those services or infrastructure environments. 1 As an example federative approach see the "open, federated and interoperable technology stack for trusted research environments" and "Federated Data Analytics Infrastructure-Capability Maturity Model" outlined by Health Data Research UK (HDR UK, 2021b).
Acta Crystallographica Section A Foundations of Crystallography, 2005
Powder diffraction intensity data with asymmetric peak profiles measured with a conventional Brag... more Powder diffraction intensity data with asymmetric peak profiles measured with a conventional Bragg-Brentano diffractometer and a high-resolution synchrotron diffractometer are treated with a fast Fourier transformation method [1, 2] to obtain intensity data with symmetric peak profiles. The method is based on deconvolution of analytical expressions of the optical aberrations of the diffractometers [3-6]. The symmetrised peak profiles enable simplified analytical procedures for individual peak profile fitting, whole pattern decomposition and Rietveld refinement. The symmetrised diffraction data of fine SiC powder (JFCC, RP-2) measured with a conventional powder diffractometer has revealed a "super-Lorentzian" character of intrinsic diffraction peak profiles, which is reasonably explained by a theory for diffraction from small spherical crystallites with broad log-normal size distribution [7]. The results of a least-squares refinement applied to integrated intensity values of 42 reflections extracted from symmetrised high-resolution diffraction data of standard ZnO powder (NIST, SRM674) measured at Photon Factory in Tsukuba has been coincidence factor of R = 0.45% with reasonable structure parameters.
This paper describes a novel approach to semantic system and security modelling developed in the ... more This paper describes a novel approach to semantic system and security modelling developed in the SERSCIS project. The approach is designed to address dynamic multistakeholder systems that are composed from services at run-time. This presents several challenges for security risk modelling and management that are not well addressed by previous work. The biggest challenge is the fact that at design-time one only knows the structure but not the composition of the system, forcing an abstract modelling approach to be used. The SERSCIS approach deals with this by defining a set of OWL classes describing generic system assets, threats and security controls and the relationships between them. This dependability model captures security expertise concerning the types of threats that can arise in general and the controls that can be used to address them. An abstract system model can then be created using OWL subclasses, to capture the types of assets and their relationships in a specific system, but still without specifying how many assets, where they are deployed or what security controls they have. The resulting models can be used as inputs to run-time semantic monitoring tools, where the knowledge encoded in the abstract system model is used to automatically determine system threat activity and system vulnerabilities. The approach was validated in an Airport Collaborative Decision-Making scenario.
Page 1. Dynamic resource allocation and accounting in VOs Workpackage: 5 Grid Dynamics Author(s):... more Page 1. Dynamic resource allocation and accounting in VOs Workpackage: 5 Grid Dynamics Author(s): Sven van den Berghe Mike Surridge, Thomas Leonard Fujitsu Laboratories of Europe IT Innovation Authorized by Mike Surridge IT Innovation Doc Ref: P5.4.3 ...
A typical two-or three-year research project has an impact that is only really visible after the ... more A typical two-or three-year research project has an impact that is only really visible after the project has come to an end, at a time when there are no resources to monitor that impact. As a consequence, projects need to estimate/predict their future impact before they end. In this paper we describe the impact activity monitoring method in the FITMAN project. This method addresses the problem by accounting for actions to raise impact during a project and the planning for such actions after a project has ended. We also describe the socioeconomic impact assessment methodology created in FITMAN, showing how this links to the impact activity monitoring method. Key to both is the assessment and monitoring of impact in three different areas: industry, society and the scientific community. Each area represents different challenges and we discuss their relative value to the overall assessment. We also report on our early experiences of applying this to ten industry-led use case trials in the FITMAN project. The insights gained by applying these methodologies can be more widely applied across domains related to technology management.
The SERSCIS project aims to support the use of interconnected systems of services in Critical Inf... more The SERSCIS project aims to support the use of interconnected systems of services in Critical Infrastructure (CI) applications. The problem of system interconnectedness is aptly demonstrated by 'Airport Collaborative Decision Making' (A-CDM). Failure or underperformance of any of the interlinked ICT systems may compromise the ability of airports to plan their use of resources to sustain high levels of air traffic, or to provide accurate aircraft movement forecasts to the wider European air traffic management systems. The proposed solution is to introduce further SERSCIS ICT components to manage dependability and interdependency. These use semantic models of the critical infrastructure, including its ICT services, to identify faults and potential risks and to increase human awareness of them. Semantics allows information and services to be described in such a way that makes them understandable to computers. Thus when a failure (or a threat of failure) is detected, SER-SCIS components can take action to manage the consequences, including changing the interdependency relationships between services. In some cases, the components will be able to take action autonomously-e.g. to manage 'local' issues such as the allocation of CPU time to maintain service performance, or the selection of services where there are redundant sources available. In other cases the components will alert human operators so they can take action instead. The goal of this paper is to describe a Service Oriented Architecture (SOA) that can be used to address the management of ICT components and interdependencies in critical infrastructure systems.
Zenodo (CERN European Organization for Nuclear Research), Sep 23, 2022
Trustworthy and collaborative data sharing and re-usage for approved research purposes can help t... more Trustworthy and collaborative data sharing and re-usage for approved research purposes can help to advance public health and patient care. Data and analytics systems are changing and new ways to share and access data are emerging, including the potential for greater federation of resources and services. These changes are bringing about new and evolving risks. What remains vital is that people are protected from harms associated with data disclosure and re-use-and that public confidence and engagement in health and social care research are maintained. As such, the DARE UK PRiAM project aims to explore methods and tools that can support decisionmakers, patients and the public to assess and manage privacy risk when considering emerging data access and reusage scenarios, such as federation. This report describes privacy requirements and use cases for cross-domain access and re-use of sensitive data for research purposes, taking into consideration emerging data usage patterns and needs. This report is the first in a series of four project reports, which together focus on working towards standardisation of privacy risk assessment for cross-domain access and re-use of sensitive data for research purposes. The report specifically focuses on three main areas: • Three driver use cases are outlined as exemplars of cross-domain linkage and analysis related to public health research and integrated care. • Emerging data usage patterns and data sharing needs in operational health data networks are explored, concentrating on trusted research environments (TREs) as facilitators of federated sharing and processing of data. • Some different approaches to identifying, organising and using risk factors for privacy risk assessment are examined through a literature review. We now summarise some of the key points highlighted in this report: Outlining three driver use cases related to public health research and integrated care UK Research and Innovation (UKRI) cross council research utilising advanced analytics methods-artificial intelligence/machine learning (AI/ML)-for health and social care transformation often require data from multiple sources, including electronic health records, digital health applications and wearable technologies. As part of this project, we focus therefore on research taking place between the Medical Research Council (MRC)in relation to health, Economic and Social Research Council (ESRC)-concerning social science and social care, and Engineering and Physical Sciences Research Council (EPSRC)-with regard to computer science. Three real-world uses cases are outlined as exemplars of access and re-usage of cross-domain sensitive data:
Technology adoption is often predicted based on little information such as the Perceived ease-of-... more Technology adoption is often predicted based on little information such as the Perceived ease-of-use and the Perceived usefulness of the technology. Related constructs such as Attitude to use, Behavioral intention to use and External variables cannot be easily operationalised and so are often ignored. However, technology characteristics themselves fail to represent other factors such as potential adopter attitudes and how they react to the opportunities offered by the technology to meet their needs. In a series of three studies, qualitative methods were used to identify, validate and then exploit narrative themes. Based on the short narratives of potential adopters discussing their experiences with a set of cybersecurity tools, we are developing a small-story narrative framework to capture how they respond to the technology contextualised directly within their professional environment. Akin to concepts from adoption frameworks in healthcare intervention studies, we conclude that adopter's personal response to a technology and how they make sense of it in their environment becomes evident in the narratives they create.
Small and medium-sized enterprises (SMEs) rarely conduct a thorough cyber-risk assessment and the... more Small and medium-sized enterprises (SMEs) rarely conduct a thorough cyber-risk assessment and they may face various internal issues when attempting to set up cyber-risk strategies. In this work, we apply a user journey approach to model human behaviour and visually map SMEs' practices and threats, along with a visualisation of the socio-technical actor network, targeted specifically at the risks highlighted in the user journey. By using a combination of cybersecurity-related visualisations, our goals are: i) to raise awareness about cybersecurity, and ii) to improve communication among IT personnel, security experts, and non-technical personnel. To achieve these goals, we combine two modelling languages: Customer Journey Modelling Language (CJML) is a visual language for modelling and visualisation of work processes in terms of user journeys. System Security Modeller (SSM) is an asset-based risk-analysis tool for socio-technical systems. By demonstrating the languages' supplementary nature through a threat scenario and considering related theories, we believe that there is a sound basis to warrant further validation of CJML and SSM together to raise awareness and handle cyber threats in SMEs.
The Future Internet offers increasing opportunities for participation by private individuals, nat... more The Future Internet offers increasing opportunities for participation by private individuals, natural persons in legal terms 1. Personal access devices have not been confined to office-based personal computers for some time, and continue to evolve: computer systems grew smaller and more compact with a demand for increased portability, and personal communication devices (mobile phones) grew in storage and processing capacity as well as going beyond telecommunications to the web (smart phones) for the two to converge in tablet-type devices. On the one hand, this allows for extensive and pervasive connectivity all day, every day, for access to data and information systems, to communicate with friends, with colleagues and with businesses and government, as well as to share with the world or worlds what us going for the individual or in an individual's reaction to events or to others: the social network. On the other, this poses increasing challenges for personal privacy as well as freedom. Personal data associated with individuals should be treated with care, it can be assumed; but what happens when the data subjects themselves release such data via social networking sites (SNS)? In this report, relevant legislation surrounding the treatment of personal data is presented and reviewed. Interactions of individuals (data subjects) with online services is described against the legislative background and summary conclusions and recommendations are made directed at FI Users, FI Providers and Service and application developers. The report is divided into the following sections: Background: the legal perspective on protecting personal data outlines the legal framework in Europe for the protection of personal data, summarising the various sections of the Data Protection Directive for how such data should be handled. The reality: should we be nervous? discusses how legislation is implemented and lists areas such as unauthorised disclosure and sharing in terms of particular cases against well-known service providers. User perceptions: trust briefly reviews user attitudes to online services and how their personal data are protected. User confidence: the public domain outlines the legal basis for treating data which have been made public (such as varying sharing on public websites); and finally User profiles and data mining: derivative works looks how personal data shared via social networking sites along with records of online activity and behaviours can be used to build up profiles of end users which could well provide an unwanted perspective on a given individual. So the intention in this overview is to bring together legislative, subjective and service-oriented aspects of personal data usage as it stands today with some indicators of the challenges for those building as well as using the Future Internet.
The Real-Time Framework (RTF) is a novel development and execution platform for emerging Internet... more The Real-Time Framework (RTF) is a novel development and execution platform for emerging Internet infrastructures and applications with real-time requirements, such as distance learning and multi-player online computer games. In this paper, we describe RTF as part of the edutain@grid service architecture and explain the role distribution between the application developer and the framework. We study in detail the use of RTF for two application use cases: 1) multi-player online games running on multiple servers, and 2) distance learning with frequent interactions over a wide-area network. Then, we report experimental results on the performance and scalability of RTF-based infrastructures and applications. Finally, we formulate the advantages of RTF and the edutain@grid architecture that go beyond the state of the art in the area.
The analysis of existing software evaluation techniques reveals the need for evidence-based evalu... more The analysis of existing software evaluation techniques reveals the need for evidence-based evaluation of systems' trustworthiness. This paper aims at evaluating trustworthiness of socio-technical systems during designtime. Our approach combines two existing evaluation techniques: a computational approach and a risk management approach. The risk-based approach identifies threats to trustworthiness on an abstract level. Computational approaches are applied to evaluate the expected end-to-end system trustworthiness in terms of different trustworthiness metrics on a concrete asset instance level. Our hybrid approach, along with a complementary tool prototype, support the assessment of risks related to trustworthiness as well as the evaluation of a system with regard to trustworthiness requirements. The result of the evaluation can be used as evidence when comparing different system configurations.
The use of engineering meta-applications for activities such as design optimisation and sensitivi... more The use of engineering meta-applications for activities such as design optimisation and sensitivity analysis can provide substantial business benefits, but require significant computing resources. However, they can be made financially viable through the exploitation of software and hardware on demand business models, supported by an electronic marketplace. This paper presents an agent-based business-to-business e-commerce system that enables large-scale distributed engineering simulations using third-party resources. The system has wide applicability and can form an e-business framework for many resource-intensive applications provided by the emerging application service provision (ASP) market.
Digital health data is created, stored and processed in healthcare IT infrastructures. These infr... more Digital health data is created, stored and processed in healthcare IT infrastructures. These infrastructures are the target of large-scale cyber-attacks and are found to be vulnerable, primarily for two main reasons: the heterogeneity of infrastructure and the numerous stakeholders (medical staff, managers, patients, regulators etc.). Furthermore, the stakeholders have different attitudes, skills, awareness and data handling practices that offer many opportunities for malicious activities. Healthcare in general is characterised by a multitude of regulations and adherence to them is essential to the functioning of the system. Compliance management is usually described in terms of risks and involves activities such as risk identification, assessment and treatment. Our paper conceptualises the notion of a "compliance threat" and discusses the security of crossborder health data exchange. The paper presents the architecture of the System Security Modeller and illustrates the security risk assessment of the "break glass" scenario which requires health data communication in an emergency situation.
Uploads
Papers by Mike Surridge