Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Restrictions to Regulations: The Social Side of Security

Published byWhitney Atkins Modified over 6 years ago

Similar presentations

Presentation on theme: "From Restrictions to Regulations: The Social Side of Security"— Presentation transcript:

1 From Restrictions to Regulations: The Social Side of Security
Özgür Kafalı Postdoctoral Researcher Fall 2015 Community Forum October 29, 2015

2 Restrictions are Annoying
seriously now?! Session timeout! Enter password * * * * * ©

3 What Could Go Wrong? People have different tolerance levels for restrictions! Find workarounds copy / paste from another document choose less secure passwords Associated risks could be worse

4 Can We Do Better? that’s better Session: 2h left
Don’t forget to logout

5 User level Safety vs Liveness Architectural level Technical vs Social
Goal User level Safety vs Liveness Architectural level Technical vs Social Security Functionality

6 Evaluation of Designs Formal AI methods help us evaluate different design choices Promotes flexibility: increase session duration Provide accountability: commitments from users to logging out

7 Research Questions: Verification
How can we verify that a given specification satisfies desired properties Which specification is more resilient to misuse? Does a specification support easy recovery from misuse?

8 Research Questions: Revision
How can we revise a given specification to ensure it satisfies desired properties Enhance liveness while preserving resilience Enhance resilience while preserving liveness

9 Sociotechnical Systems (STS)
A social organization with software components stakeholders with individual goals Hospital setting healthcare software administrators, physicians, workers, patients

10 STS Architecture

11 Technical Mechanisms Software level: access control to
system resources Physical level: entrance to emergency department

12 Social Norms Regulate interactions among stakeholders
Physicians are committed to treating patients Only experts are authorized to operate on patients

13 Social Norms Healthcare workers are prohibited
from disclosing patient’s information Sanctions for violating norms

14 Norm Strength: Authorization
Grant access to PC for 2 hours stronger Grant access to PC for 15 minutes weaker

15 Norm Strength: Prohibition
Deny access to patient records without consent stronger In nonemergency cases, deny access to patient records without consent weaker

16 Revision Patterns: Relaxation
Relation Used Deadline Release of liability weaker commitment extend Ease of use stronger authorization Accessibility weaker prohibition shorten

17 Revision Patterns: Accountability
Deny access to patient records without consent Deny sharing of patient’s protected information accessibility accountability In nonemergency cases, deny access to patient records without consent Fall 2013 Community Forum October 22, 2013

18 Formal Verification Techniques
Formalize requirements in temporal logic Apply model checking Verify whether desired properties are satisfied undesired executions are impossible

19 Revision Tool

20 Who Could Benefit? Offer software designers additional security choices Evaluate different designs with our AI tools compare possible executions select designs that promote secure collaboration among users

21 Collaboration Opportunities
Case studies with different organizations What we need What we offer Access to security policies / requirements Interview designers Evaluate requirements Identify / resolve conflicts Apply social patterns

Download ppt "From Restrictions to Regulations: The Social Side of Security"

Similar presentations

2011 NetIS Presentation The Complete ePublishing Platform Designed for the 21 st Century.

2011 NetIS Presentation The Complete ePublishing Platform Designed for the 21 st Century.
Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Privacy and Information Security Training (2006-07) VUMC Privacy Website www.mc.vanderbilt.edu/privacy.

Privacy and Information Security Training ( ) VUMC Privacy Website
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Presented by: Dan Landsberg August 12, 2011. Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.

Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
Security Controls – What Works

Security Controls – What Works
WEB BROWSER PRIVACY & SECURITY Nan Li Informed Consent in the Mozilla Browser: Implementing Value-Sensitive Design 10/13/2009 08-534 Usability Privacy.

WEB BROWSER PRIVACY & SECURITY Nan Li Informed Consent in the Mozilla Browser: Implementing Value-Sensitive Design 10/13/ Usability Privacy.
Effective Project Management: Traditional, Agile, Extreme

Effective Project Management: Traditional, Agile, Extreme
Requirements Structure 2.0 Clark Elliott Instructor With debt to Chris Thomopolous and Ali Merchant Original Authors.

Requirements Structure 2.0 Clark Elliott Instructor With debt to Chris Thomopolous and Ali Merchant Original Authors.
Systems Design, Implementation, Maintenance, and Review Security, Privacy, and Ethics Chapters 13 & 14.

Systems Design, Implementation, Maintenance, and Review Security, Privacy, and Ethics Chapters 13 & 14.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality 2014-06-10.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
Patients Bill of Rights. What is a Patient’s Bill of Rights? A list of patients rights. It offers guidance and protection to patients by stating the responsibilities.

Patients Bill of Rights. What is a Patient’s Bill of Rights? A list of patients rights. It offers guidance and protection to patients by stating the responsibilities.

Similar presentations

Ads by Google