Towards legal compliance by correlating Standards and Laws with a semi-automated methodology

in Bosse, Tibor; Bredeweg, Bert (Eds.) Communications in Computer and Information Science (2017)

Since generally legal regulations do not provide clear parameters to determine when their requirements are met, achieving legal compliance is not trivial. The adoption of standards could help create an ... [more ▼]

Since generally legal regulations do not provide clear parameters to determine when their requirements are met, achieving legal compliance is not trivial. The adoption of standards could help create an argument of compliance in favour of the implementing party, provided there is a clear correspondence between the provisions of a specific standard and the regulation's requirements. However, identifying such correspondences is a complex process which is complicated further by the fact that the established correlations may be overridden in time e.g., because newer court decisions change the interpretation of certain legal provisions. To help solve these problems, we present a framework that supports legal experts in recognizing correlations between provisions in a standard and requirements in a given law. The framework relies on state-of-the-art Natural Language Semantics techniques to process the linguistic terms of the two documents, and maintains a knowledge base of the logic representations of the terms, together with their defeasible correlations, both formal and substantive. An application of the framework is shown by comparing a provision of the European General Data Protection Regulation with the ISO/IEC 27018:2014 standard. [less ▲]

The Cipher, the Random and the Ransom: A Survey on Current and Future Ransomware

in Advances in Cybersecurity 2017 (2017)

Although conceptually not new, ransomware recently regained attraction in the cybersecurity community: notorious attacks in fact have caused serious damage, proving their disruptive effect. This is likely ... [more ▼]

Although conceptually not new, ransomware recently regained attraction in the cybersecurity community: notorious attacks in fact have caused serious damage, proving their disruptive effect. This is likely just the beginning of a new era. According to a recent intelligence report by Cybersecurity Ventures, the total cost due to ransomware attacks is predicted to exceed $5 billion in 2017. How can this disruptive threat can be contained? Current anti-ransomware solutions are effective only against existing threats, and the worst is yet to come. Cyber criminals will design and deploy more sophisticated strategies, overcoming current defenses and, as it commonly happens in security, defenders and attackers will embrace a competition that will never end. In this arm race, anticipating how current ransomware will evolve may help at least being prepared for some future damage. In this paper, we describe existing techniques to mitigate ransomware and we discuss their limitations. Discussing how current ransomware could become even more disruptive and elusive is crucial to conceive more solid defense and systems that can mitigate zero-day ransomware, yielding higher security levels for information systems, including critical infrastructures such as intelligent transportation networks and health institutions. [less ▲]

Transparent Medical Data Systems

in Journal of Medical Systems (2016)

Transparency is described as the quality to be open about policies and practices. It is intended to inform end users of what happens to their data. It promotes good quality of service and is believed to ... [more ▼]

Transparency is described as the quality to be open about policies and practices. It is intended to inform end users of what happens to their data. It promotes good quality of service and is believed to sustain people's demand for privacy. However, at least for medical data systems, a clear definition of the property is missing and there is no agreement on what requirements qualify it. We look into this problem. First we identify concepts that relate with transparency: openness, empowerment, auditability, availability, accountability, verifiability. We discuss them in Health Information Technology, so clarifying what transparency is. Then we elicit a list of requirements that indicate how transparency can be realised in modern medical data systems such as those managing electronic health records. [less ▲]

Towards legal compliance by correlating Standards and Laws with a semi-automated methodology

in Proceedings of the 28 Benelux Conference on Artificial Intelligence (BNAIC) (2016, November)

Since legal regulations do not generally provide clear parameters to determine when their requirements are met, achieving legal compliance is not trivial. If there were a clear correspondence between the ... [more ▼]

Since legal regulations do not generally provide clear parameters to determine when their requirements are met, achieving legal compliance is not trivial. If there were a clear correspondence between the provisions of a specific standard and the regulation’s requirements, one could implement the standard to claim a presumption of compliance. However, finding those correspondences is a complex process; additionally, correlations may be overridden in time, for instance, because newer court decisions change the interpretation of certain provisions. To help solve this problem, we present a framework that supports legal experts in recognizing correlations between provisions in a standard and requirements in a given law. The framework relies on state-of-the-art Natural Language Semantics techniques to process the linguistic terms of the two documents, and maintains a knowledge base of the logic representations of the terms, together with their defeasible correlations, both formal and substantive. An application of the framework is shown by comparing a provision of the European General Data Protection Regulation against the ISO/IEC 27018:2014 standard. [less ▲]

High-fidelity spherical cholesteric liquid crystal Bragg reflectors generating unclonable patterns for secure authentication

in Scientific Reports (2016), 6(26840), 1-8

Monodisperse cholesteric liquid crystal microspheres exhibit spherically symmetric Bragg reflection, generating, via photonic cross communication, dynamically tuneable multi-coloured patterns. These ... [more ▼]

Monodisperse cholesteric liquid crystal microspheres exhibit spherically symmetric Bragg reflection, generating, via photonic cross communication, dynamically tuneable multi-coloured patterns. These patterns, uniquely defined by the particular sphere arrangement, could render cholesteric microspheres very useful in countless security applications, as tags to identify and authenticate their carriers, mainly physical objects or persons. However, the optical quality of the cholesteric droplets studied so far is unsatisfactory, especially after polymerisation, a step required for obtaining durable samples that can be used for object identification. We show that a transition from droplets to shells solves all key problems, giving rise to sharp patterns and excellent optical quality even after polymerisation, the polymerised shells sustaining considerable mechanical deformation. Moreover, we demonstrate that, counter to prior expectation, cross communication takes place even between non-identical shells. This opens additional communication channels that add significantly to the complexity and unique character of the generated patterns. [less ▲]

Analysing the Efficacy of Security Policies in Cyber-Physical Socio-Technical Systems

in Barthe, Gilles; Markatos, Evangelos (Eds.) Security and Trust Management - STM 2016 (2016)

A crucial question for an ICT organization wishing to improve its security is whether a security policy together with physical access controls protects from socio-technical threats. We study this question ... [more ▼]

A crucial question for an ICT organization wishing to improve its security is whether a security policy together with physical access controls protects from socio-technical threats. We study this question formally. We model the information flow defined by what the organization's employees do (copy, move, and destroy information) and propose an algorithm that enforces a policy on the model, before checking against an adversary if a security requirement holds. [less ▲]

Formal Security Analysis of Traditional and Electronic Exams

in Communications in Computer and Information Science (2015), 554

Nowadays, students can be assessed not only by means of pencil-and-paper tests but also by electronic exams which they take in examination centers or even from home. Electronic exams are appealing as they ... [more ▼]

Nowadays, students can be assessed not only by means of pencil-and-paper tests but also by electronic exams which they take in examination centers or even from home. Electronic exams are appealing as they can reach larger audiences, but they are exposed to new threats that can potentially ruin the whole exam business. These threats are amplified by two issues: the lack of understanding of what security means for electronic exams (except the old concern about students cheating), and the absence of tools to verify whether an exam process is secure. This paper addresses both issues by introducing a formal description of several fundamental authentication and privacy properties, and by establishing the first theoretical framework for an automatic analysis of exam security. It uses the applied π-calculus as a framework and ProVerif as a tool. Three exam protocols are checked in depth: two Internet exam protocols of recent design, and the pencil-and-paper exam used by the University of Grenoble. The analysis highlights several weaknesses. Some invalidate authentication and privacy even when all parties are honest; others show that security depends on the honesty of parties, an often unjustified assumption in modern exams. [less ▲]

2015 Workshop on Socio-Technical Aspects in Security and Trust, STAST 2015, Verona, Italy, July 13, 2015

Scientific Conference (2015, July 13)

Security on medical data sharing (a literature review)

Report (2015)

In Cyber-Space No One Can Hear You S·CREAM, A Root Cause Analysis for Socio-Technical Security

in Foresti, Sara (Ed.) Security and Trust Management (2015)

Inspired by the root cause analysis techniques that in the field of safety research and practice help investigators understand the reasons of an incident, this paper investigates the use of root cause ... [more ▼]

Inspired by the root cause analysis techniques that in the field of safety research and practice help investigators understand the reasons of an incident, this paper investigates the use of root cause analysis in security. We aim at providing a systematic method for the security analyst to identify the socio-technical attack modes that can potentially endanger a system’s security. [less ▲]