Commitment analysis to operationalize software requirements from privacy policies

Online privacy policies describe organizations’ privacy practices for collecting, storing, using, and protecting consumers’ personal information. Users need to understand these policies in order to know how their personal information is being collected, stored, used, and protected. Organizations need to ensure that the commitments they express in their privacy policies reflect their actual business practices, especially in the United States where the Federal Trade Commission regulates fair business practices. Requirements engineers need to understand the privacy policies to know the privacy practices with which the software must comply and to ensure that the commitments expressed in these privacy policies are incorporated into the software requirements. In this paper, we present a methodology for obtaining requirements from privacy policies based on our theory of commitments, privileges, and rights, which was developed through a grounded theory approach. This methodology was developed from a case study in which we derived software requirements from seventeen healthcare privacy policies. We found that legal-based approaches do not provide sufficient coverage of privacy requirements because privacy policies focus primarily on procedural practices rather than legal practices.     

Examining the intended and unintended consequences of organisational privacy safeguards

Research shows that despite organisational efforts to achieve privacy compliance, privacy breaches continue to rise. The extant studies on organisational privacy compliance concentrate on the extent to which privacy threats can be alleviated through a combination of technical and human controls and the positive (and often intended) influences of these controls. This focus inadvertently neglects unintended consequences such as impeded workflow in medical practices. To address this research conflict, this study uses an interpretive grounded theory research approach to investigate the consequences of privacy safeguard enactment in medical practices, including whether it influences their ability to meet privacy requirements and whether workflows are impeded. Our central contribution is a theoretical framework, the unintended consequences of privacy safeguard enactment (UCPSE) framework, which explicates the process by which privacy safeguards are evaluated and subsequently bypassed and the resulting influence on organisational compliance. The UCPSE highlights the importance of the imbalance challenge, which is the result of unintended consequences outweighing the intended consequences of privacy safeguard enactment. Failure to address the imbalance challenge leads to the adoption of workarounds that may ultimately harm the organisation’s privacy compliance. Despite several research calls, the consequences and effectiveness of organisational privacy efforts are largely missing from both information systems and health informatics research. This study is one of the first attempts to both systematically identify the impacts of privacy safeguard enactment and to examine its implications for privacy compliance in the healthcare domain. The findings also have practical implications for healthcare executives on the UCPSE and how they could alleviate the imbalance challenge to thwart workarounds and the subsequent negative effects on privacy compliance.     

Dirty laundry: privacy issues for IT professionals

Individual online privacy, already a hot button in the political landscape, is no less important for IT professionals. In 1999, the authors distributed a survey to 500 data workers in the healthcare and financial fields. The results of the study suggest that privacy concerns are not confined to consumers, but the employees who access and collect the data are concerned as well. The survey posed 15 questions regarding the responders' attitudes about the organizational practices at their organization. The data collected from the survey reveals that healthcare workers are concerned about organizational practices causing errors in patient information, as well as unsanctioned use of patient information. Similarly, the survey research indicates that employees of financial institutions are concerned with organizational practices that allow improper access to customer information. Given the results in these two fields, IT workers and managers in all fields must be prepared to deal with this issue, for it is likely to confront them soon     

Bridging digital boundary in healthcare systems — An interoperability enactment perspective

Researches indicated that interoperability promotes the enabling of information transparency and data fluidity for collaborating healthcare system enterprises, but due to issues of data ownership, distributed IT governance and cyber-security, valuable data continue to be isolated by intangible digital boundaries among healthcare institutions. That is, most existing institutional arrangements, organizational structures, and management processes do not support the required level of cross-boundary collaboration, trust, and attention to privacy. As data or information exchange involves an organization change process, it appears vital to enhance the interactions and participation of stakeholders within the healthcare systems. This study argues that an enactment model, which comprises both cognition and action, often leads to stakeholder commitments for facilitating change, is able to address the required level of institutional cross-boundary collaboration in healthcare.     

Oblivious access control policies for cloud based data sharing systems

Conventional procedures to ensure authorized data access by using access control policies are not suitable for cloud storage systems as these procedures can reveal valid access parameters to a cloud service provider. In this paper, we have proposed oblivious access control policy evaluation (O-ACE); a data sharing system, which obliviously evaluates access control policy on a cloud server and provisions access to the outsourced data. O-ACE reveals no useful information about the access control policy neither to the cloud service provider nor to the unauthorized users. Through the security analysis of O-ACE it has been observed that computational complexity to compromise privacy of the outsourced data is same as reverting asymmetric encryption without valid key pair. We have realized O-ACE for Google Cloud. Our evaluation results show the fact that O-ACE CPU utilization cost is 0.01–0.30 dollar per 1,000 requests.     

A requirements taxonomy for reducing Web site privacy vulnerabilities

The increasing use of personal information on Web-based applications can result in unexpected disclosures. Consumers often have only the stated Web site policies as a guide to how their information is used, and thus on which to base their browsing and transaction decisions. However, each policy is different, and it is difficult—if not impossible—for the average user to compare and comprehend these policies. This paper presents a taxonomy of privacy requirements for Web sites. Using goal-mining, the extraction of pre-requirements goals from post-requirements text artefacts, we analysed an initial set of Internet privacy policies to develop the taxonomy. This taxonomy was then validated during a second goal extraction exercise, involving privacy policies from a range of health care related Web sites. This validation effort enabled further refinement to the taxonomy, culminating in two classes of privacy requirements: protection goals and vulnerabilities. Protection goals express the desired protection of consumer privacy rights, whereas vulnerabilities describe requirements that potentially threaten consumer privacy. The identified taxonomy categories are useful for analysing implicit internal conflicts within privacy policies, the corresponding Web sites, and their manner of operation. These categories can be used by Web site designers to reduce Web site privacy vulnerabilities and ensure that their stated and actual policies are consistent with each other. The same categories can be used by customers to evaluate and understand policies and their limitations. Additionally, the policies have potential use by third-party evaluators of site policies and conflicts.

Protection motivation and deterrence: a framework for security policy compliance in organisations

Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.     

A distributed requirements management framework for legal compliance and accountability

Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations, there is little support to manage these requirements and their relationships to various policies and regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.     

Automated Compliance Checking Methodology for Non-Log Operations

ABSTRACT

Compliance Management (CM) is the management process that an organization implements to ensure organizational compliance with relevant requirements and expectations. The most complicated, time-consuming, and costly process in CM is compliance checking because it requires a person who has a good knowledge in policy to examine whether the current operations meet the policy requirements. Many researchers have tried to study better ways to automate the compliance checking process, but most of them require the operation logs in to the computer systems. This paper proposes a methodology to enable the automation of compliance checking for those operations that have no log in computer systems by using questions and answers principle to cooperate with the semantic web technologies. Since there are some operations that cannot be understood by computer systems, using questions is one way to gather the answers, such as operation log to evaluate their compliance. The proposed methodology can help noncertified auditors perform the compliance checking so that the time and cost of compliance checking would be greatly reduced.     

移动应用隐私权声明内容合规性检验方法

移动应用的隐私权声明作为用户与应用的协议条款,是用户信息采集前必须向用户披露的关键文档。近年来,国家出台多部政策法规明确要求移动应用需要配备清晰和规范的隐私权声明。然而,如今隐私权声明存在诸多问题,如缺失核心条目的披露,省略信息采集的目的和使用模糊的表述等。另一方面,随着法律条款数量增多,条款间要求各不相同,隐私权声明合规检验工作愈加繁重。本文提出一种移动应用隐私权声明的多标签分类方法,这一方法通过比较四部核心法律法规对隐私权声明的要求,总结梳理得到31类核心条目标签及特征。在该标签体系下,本文设计实现了一个隐私权声明语句的分类模型,该模型可以实现94%的条目分类准确率。基于该模型,本文结合句法结构解析和实体识别方法,在安卓应用和小程序场景中进行合规性检验,发现79%,63%和94%的隐私权声明分别存在条目缺失、目的省略和表述模糊问题。     

A dynamic logic for privacy compliance

Knowledge based privacy policies are more declarative than traditional action based ones, because they specify only what is permitted or forbidden to know, and leave the derivation of the permitted actions to a security monitor. This inference problem is already non trivial with a static privacy policy, and becomes challenging when privacy policies can change over time. We therefore introduce a dynamic modal logic that permits not only to reason about permitted and forbidden knowledge to derive the permitted actions, but also to represent explicitly the declarative privacy policies together with their dynamics. The logic can be used to check both regulatory and behavioral compliance, respectively by checking that the permissions and obligations set up by the security monitor of an organization are not in conflict with the privacy policies, and by checking that these obligations are indeed enforced.     

Exploring the effects of organizational justice,personal ethics and sanction on internet use policy compliance

Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.     

基于区块链的域间路由策略符合性验证方法

域间路由系统自治域(ASes)间具有不同的商业关系和路由策略.违反自治域间出站策略协定的路由传播可能引发路由泄露,进而导致网络中断、流量窃听、链路过载等严重后果.路由策略符合性验证对于保证域间路由系统安全性和稳定性至关重要.但自治域对本地路由策略自主配置与隐私保护的双重需求增加了验证路由策略符合性的难度,使其一直是域间路由安全领域尚未妥善解决的难点问题.提出一种基于区块链的域间路由策略符合性验证方法.该方法以区块链和密码学技术作为信任背书,使自治域能够以安全和隐私的方式发布、交互、验证和执行路由策略期望,通过生成对应路由更新的路由证明,保证路由传播过程的真实性,从而以多方协同的方式完成路由策略符合性验证.通过实现原型系统并基于真实路由数据开展实验与分析,结果表明该方法可以在不泄露自治域商业关系和本地路由策略的前提下针对路由传播出站策略符合性进行可追溯的验证,以合理的开销有效抑制策略违规路由传播,在局部部署情况下也具有显著的策略违规路由抑制能力.     

支持策略隐藏的加密云存储访问控制机制

使用密码技术对云存储数据实施机密性保护和访问控制,是当前云计算安全研究的重要内容.选择加密(Selective Encryption)技术根据访问控制策略产生密钥推导图来分发密钥,在保证云存储数据机密性和细粒度访问控制的前提下,具有简化文件存储加密、系统密钥量少的优势.然而,已有选择加密方案需要完全或部分地公开访问控制策略,以用于密钥推导;该信息反映了用户/文件之间的授权访问关系,泄露用户隐私.基于现有的研究工作,本文提出了一个新的访问控制策略隐藏机制,在支持加密云存储数据的细粒度访问控制和高效密钥分发的前提下,能更好地隐藏访问控制策略信息;而且在密钥获取计算速度上有明显优势.     

IT in healthcare: progress report

The paper considers how increasing computerization and recent regulatory changes are putting new pressures on healthcare information management. Healthcare providers must interact with many insurers, each with a different set of procedures for filing claims and making payments. To simplify the process and reduce the overhead associated with filing insurance claims, HIPAA provides a standard set of electronic transaction formats as well as regulations to ensure the privacy and security of healthcare-related transactions.     

App合规性检测综述

随着App使用者数量迅速增长,个人信息主体隐私泄露问题也日渐严重。为此,近年来我国相继出台了有关App个人隐私信息安全的相关法律文件,有关部门也相继开展了App整治工作,旨在对App个人信息的采集、存储和处理等方面进行规范。综述了App合规性问题,揭示出我国App安全面临的挑战性问题,列举了我国各层次部门颁布的App相关法规和政策,并介绍了国家在App治理方面推出的相关措施;综述了App合规性检测方法,将国内外App合规性检测分成App隐私政策的完整性检测、一致性检测和可读性检测三类,并从不同维度和切入点对这三类检测方法进行了分析和总结;对国内App合规性检测平台及其相应功能进行了整理和分析;提出了App合规性检测仍存在的挑战性问题,并展望了未来的发展方向。     

Security towards the edge: Sticky policy enforcement for networked smart objects

One of the hottest topics in the Internet of Things (IoT) domain relates to the ability of enabling computation and storage at the edges of the network. This is becoming a key feature in order to ensure the ability of managing in a scalable way service requests with low response times. This means being able to acquire, store, and process IoT-generated data closer to the data producers and data consumers. In this scenario, also security and privacy solutions must be applied in a capillary way at the edges of the network. In particular, a control on access to data generated by IoT devices is necessary for guaranteeing proper levels of security and privacy as well as for preventing violation attempts, while allowing data owners to monitor and control their information. In this paper, a sticky policy approach is proposed as a strategy for efficiently managing the access to IoT resources within an existing distributed middleware architecture. As demonstrated in the experimental evaluation, sticky policies represent a promising and efficient technique to increase the robustness (in a security perspective) of the IoT system.     

Building access control policy model for privacy preserving and testing policy conflicting problems

This paper proposes a purpose-based access control model in distributed computing environment for privacy preserving policies and mechanisms, and describes algorithms for policy conflicting problems. The mechanism enforces access policy to data containing personally identifiable information. The key component is purpose involved access control models for expressing highly complex privacy-related policies with various features. A policy refers to an access right that a subject can have on an object, based on attribute predicates, obligation actions, and system conditions. Policy conflicting problems may arise when new access policies are generated that are possible to be conflicted to existing policies. As a result of the policy conflicts, private information cannot be well protected. The structure of purpose involved access control policy is studied, and efficient conflict-checking algorithms are developed and implemented. Finally a discussion of our work in comparison with other related work such as EPAL is presented.     

End-to-end policy based encryption techniques for multi-party data management

We describe a data management solution and associated key management approaches to provide accountability within service provision networks, in particular addressing privacy issues in cloud computing applications. Our solution involves machine readable policies that stick to data to define allowed usage and obligations as data travels across multiple parties. Service providers have fine-grained access to specific data based on agreed policies, enforced by interactions with independent third parties that check for policy compliance before releasing decryption keys required for data access. We describe alternative solutions based upon Public Key Infrastructure (PKI), Identity Based Encryption (IBE) and advanced secret sharing schemes.