Privacy in the 21st Century

The events of 9/11 along with the bombarding in Madrid and London forced governments to resort to new structures of privacy safeguarding and electronic surveillance under the common denominator of terrorism and transnational crime fighting. Legislation as US PATRIOT Act and EU Data Retention Directive altered fundamentally the collection, processing and sharing methods of personal data, while it granted increased powers to police and law enforcement authorities concerning their jurisdiction in obtaining and processing personal information to an excessive degree. As an aftermath of the resulted opacity and the public outcry, a shift is recorded during the last years towards a more open governance by the implementation of open data and cloud computing practices in order to enhance transparency and accountability from the side of governments, restore the trust between the State and the citizens, and amplify the citizens' participation to the decision-making procedures. However, privacy and personal data protection are major issues in all occasions and, thus, must be safeguarded without sacrificing national security and public interest on one hand, but without crossing the thin line between protection and infringement on the other. Where this delicate balance stands, is the focal point of this paper trying to demonstrate that it is better to be cautious with open practices than hostage of clandestine practices.

Security and Privacy Issues in Cloud Computing

Cloud computing transforms the way Information Technology (IT) is consumed and managed, promising improved cost efficiencies, accelerated innovation, faster time-to-market, and the ability to scale applications on demand (Leighton, 2009). According to Gartner, while the hype grew exponentially during 2008 and continued since, it is clear that there is a major shift towards the cloud computing model and that the benefits may be substantial (Gartner Hype-Cycle, 2012). However, as the shape of cloud computing is emerging and developing rapidly both conceptually and in reality, the legal/contractual, economic, service quality, interoperability, security, and privacy issues still pose significant challenges. In this chapter, the authors describe various service and deployment models of cloud computing and identify major challenges. In particular, they discuss three critical challenges: regulatory, security, and privacy issues in cloud computing. Some solutions to mitigate these challenges are also proposed along with a brief presentation on the future trends in cloud computing deployment.

Security of Safety Important I&C Systems

One of the most challenging modern problems—security assessment and assurance for safety important I&C systems—is discussed. Interrelations and hierarchical structure of I&C systems attributes, including safety and security, are considered. Review of existing regulatory documents that covers various development and operation aspects of safety important I&C systems is presented. Such a review also addresses issues related to requirements for safety important I&C systems, including security requirements, depending on their underlying technology, as well as reveals the impact of the main features, including used technologies and development approaches. Main challenging problems and requirements in the area of security assurance for complex safety important I&C systems are outlined. A possible way to analyze the security vulnerabilities of safety important I&C system is considered; it is based on process-product approach, and it requires performance of assessments for products (components of I&C system at different life cycle stages) and all the processes within the product life cycle. A possible approach to assessment and assurance of safety important I&C systems security is discussed. Such an approach takes into account possible vulnerabilities of Field Programmable Gate Arrays (FPGA) technology and appropriate points of their insertion into the life cycle. An analysis of existing techniques for assurance of safety important I&C systems security is performed.

Analyzing Human Factors for an Effective Information Security Management System

Managing security is essential for organizations doing business in a globally networked environment and for organizations that are at the same time seeking to achieve their missions and goals. However, numerous technical advancements do not always produce a more secure environment. All kinds of human factors can deeply affect the management of security in an organizational context. Therefore, security is not solely a technical problem; rather, the authors need to understand human factors, which need adequate attention to achieve an effective information security management system practice. This paper identifies direct and indirect human factors that have impact on information security. These factors were analyzed through the study of two security incidents of the UK's financial organizations using the SWOT (Strength, Weaknesses, Opportunities, and Threats) technique. The study's results show that human factors are the main causes for these security incidents. Factors such as training, awareness, and security culture influence organizational strength and opportunity relating to information security. People's irrational behavior and errors are the main weaknesses highlighted in security incidents, which pose threats such as poor reputation and high costs.

Infusing Innovation in the Policy Analysis and Evaluation Phases of the Policy Cycle

This paper introduces an innovative approach for more factual, evidence-based and accountable policy analysis and evaluation, based on open public data, prosperity indicators, fuzzy cognitive maps and argumentation technology. The approach is inspired by the Policy Compass FP7 project and assumes to make better use of Europe's open public data resources, so as to enable both the lay public and domain experts to create, apply, annotate, share and discuss progress metrics and causal models of policies. The aim is to empower stakeholders in assessing the governments' course of actions and contribute in transforming government structures to a more participatory and democratic form. The paper attempts to make a rather complete and comprehensive statement for policy analysis and evaluation, as it provides a thorough description of the proposed approach, including both its theoretical framework and technical approach, as well as a series of indicative use case scenarios and anticipated benefits. The paper concludes with relevant implementation concerns as well as future plans for the validation of the approach and its benefits.

Trapped in My Mobility

In the wake of the quick penetration of mobile devices into the everyday lives of individuals, protection of privacy in mobile ecosystems has become a hot button issue. Existing regulatory efforts on mobile privacy primarily focus on protection of the informational privacy of individuals. While necessary, focusing solely on informational privacy may not be sufficient in terms of protecting users' privacy in mobile environments. The chapter discusses the privacy implications of design architectures and economic arrangements in the mobile ecosystems and argues that mobile environments create privacy-threatening “sticky” relationships that make it increasingly difficult for individuals not only to control flow of information about themselves, but also flow of communication that targets them. This chapter argues that an important supplement to protecting users' privacy is to restore users' control over the communicative interaction with the companies seeking to target them. To that purpose, the chapter offers a set of principles, called “home mode” for mobile privacy, in implementing remedies for threats to privacy in mobile environments.

Prior Negative Experience, Online Privacy Concerns and Intent to Disclose Personal Information in Chinese Social Media

A paper survey of 489 Chinese college students was conducted in spring, 2012 to test a conceptual model of online information disclosure in social media. It shows that young Chinese SNS users' prior negative experience of online disclosure significantly increased their online privacy concerns and their perceived risk. Their online privacy concerns undermined their trust of online companies, marketers and laws to protect privacy and elevated their perceived risk. Their trust strongly predicted their intent to disclose the lifestyle and sensitive information. Their online privacy concerns only inhibited them from disclosing sensitive information in social media. However, their prior negative experience did not directly predict their intent of self-disclosure on SNS. Implications for academia and industry are discussed.

Adoption of ISO 27001 in Cyprus Enterprises

This chapter presents the findings of an investigation on current security practices in Cypriot organizations, including enterprises and public sector divisions. In order to gain knowledge on the deployed security technologies by organizations, a survey was conducted and concluded in late 2010. The survey primarily examined compliance of enterprise current security policies and procedures with ISO 27001 security guidelines. A research analysis has been performed and identified that security mechanisms and the management of information technology (IT) resources may be improved on a number of aspects. Based on the research findings, an assessment of the viability of ISO 27001 in Cyprus is given as well as recommendations on the further deployment of ISO 27001.

A Structured Method for Security Requirements Elicitation concerning the Cloud Computing Domain

Cloud computing systems offer an attractive alternative to traditional IT-systems, because of economic benefits that arise from the cloud's scalable and flexible IT-resources. The benefits are of particular interest for SME's. The reason is that using Cloud Resources allows an SME to focus on its core business rather than on IT-resources. However, numerous concerns about the security of cloud computing services exist. Potential cloud customers have to be confident that the cloud services they acquire are secure for them to use. Therefore, they have to have a clear set of security requirements covering their security needs. Eliciting these requirements is a difficult task, because of the amount of stakeholders and technical components to consider in a cloud environment. Therefore, the authors propose a structured, pattern-based method supporting eliciting security requirements and selecting security measures. The method guides potential cloud customers to model the application of their business case in a cloud computing context using a pattern-based approach. Thus, a potential cloud customer can instantiate our so-called Cloud System Analysis Pattern. Then, the information of the instantiated pattern can be used to fill-out our textual security requirements patterns and individual defined security requirement patterns, as well. The presented method is tool-supported. Our tool supports the instantiation of the cloud system analysis pattern and automatically transfers the information from the instance to the security requirements patterns. In addition, they have validation conditions that check e.g., if a security requirement refers to at least one element in the cloud. The authors illustrate their method using an online-banking system as running example.

A Framework for Measuring the Deployment of Internet Protocols

Internet protocols spread to potential adopters through several successive phases of implementation, commercialization, acquisition, and adoption of the protocol. This process of protocol deployment involves several stakeholders and varies depending on the deployment environment and the protocol in question. This complexity and the lack of comprehensive measurement studies call for a further conceptualization of measuring protocol diffusion along the whole deployment process. Therefore, this article develops a framework for measuring the deployment of Internet protocols, consisting of deployment steps, deployment models, deployment measures, and data sources. The measures are further linked to each other through deployment gaps and delays. In order to demonstrate the framework, it is used to assess how a set of pre-installed protocols spread in the Finnish mobile market. The framework highlights the differences between the deployment models and the importance to use both the deployment measures and gaps in the analysis of protocol success. Furthermore, the illustrative results indicate that protocol deployment is driven by applications, and show the existence of large deployment gaps between the protocol possession and usage. The results are relevant especially to researchers interested in holistically analyzing protocol deployment and protocol developers for measuring and improving the success of their protocols.