liu.seSök publikationer i DiVA
Ändra sökning
Länk till posten
Permanent länk

Direktlänk
BETA
Herzog, Almut
Publikationer (10 of 17) Visa alla publikationer
Herzog, A., Shahmehri, N. & Duma, C. (2009). An ontology for information security (1ed.). In: Nemadi H (Ed.), Techniques and applications for advanced information privacy and security: emerging organizational, ethical and human issues (pp. 278-301). Information Science Reference
Öppna denna publikation i ny flik eller fönster >>An ontology for information security
2009 (Engelska)Ingår i: Techniques and applications for advanced information privacy and security: emerging organizational, ethical and human issues / [ed] Nemadi H, Information Science Reference , 2009, 1, s. 278-301Kapitel i bok, del av antologi (Övrigt vetenskapligt)
Abstract [en]

Advances in technology are causing new privacy concerns as an increasing number of citizens are engaging in online activities.

Techniques and Applications for Advanced Information Privacy and Security: Emerging Organizational, Ethical, and Human Issues provides a thorough understanding of issues and concerns in information technology security. An advanced reference source covering topics such as security management, privacy preservation, and authentication, this book outlines the field and provides a basic understanding of the most salient issues in privacy concerns for researchers and practitioners.

Show more Show less

Ort, förlag, år, upplaga, sidor
Information Science Reference, 2009 Upplaga: 1
Nationell ämneskategori
Teknik och teknologier
Identifikatorer
urn:nbn:se:liu:diva-59977 (URN)97-81-60566-210-7 (ISBN)1605662100 (ISBN)
Tillgänglig från: 2010-10-01 Skapad: 2010-10-01 Senast uppdaterad: 2014-06-24Bibliografiskt granskad
Herzog, A., Shahmehri, N. & Duma, C. (2007). An ontology of information security. International Journal of Information Security and Privacy, 1(4), 1-23
Öppna denna publikation i ny flik eller fönster >>An ontology of information security
2007 (Engelska)Ingår i: International Journal of Information Security and Privacy, ISSN 1930-1650, Vol. 1, nr 4, s. 1-23Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

We present a publicly available, OWL-based ontology of information security which models assets, threats, vulnerabilities, countermeasures and their relations. The ontology can be used as a general vocabulary, roadmap, and extensible dictionary of the domain of information security. With its help, users can agree on a common language and definition of terms and relationships. In addition to browsing for information, the ontology is also useful for reasoning about relationships between its entities, for example, threats and countermeasures. The ontology helps answer questions like: Which countermeasures detect or prevent the violation of integrity of data? Which assets are protected by SSH? Which countermeasures thwart buffer overflow attacks? At the moment, the ontology comprises 88 threat classes, 79 asset classes, 133 countermeasure classes and 34 relations between those classes. We provide the means for extending the ontology, and provide examples of the extendibility with the countermeasure classes ‘memory protection’ and ‘source code analysis’. This article describes the content of the ontology as well as its usages, potential for extension, technical implementation and tools for working with it.

Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-14436 (URN)10.4018/jisp.2007100101 (DOI)
Tillgänglig från: 2007-04-27 Skapad: 2007-04-27 Senast uppdaterad: 2018-01-13
Duma, C., Herzog, A. & Shahmehri, N. (2007). Privacy in the Semantic Web: What Policy Languages Have to Offer. In: IEEE Workshop on Policies for Distributed Systems and Networks,2007: . Paper presented at IEEE Workshop on Policies for Distributed Systems and Networks,2007 (pp. 109). Bologna, Italy: IEEE
Öppna denna publikation i ny flik eller fönster >>Privacy in the Semantic Web: What Policy Languages Have to Offer
2007 (Engelska)Ingår i: IEEE Workshop on Policies for Distributed Systems and Networks,2007, Bologna, Italy: IEEE , 2007, s. 109-Konferensbidrag, Publicerat paper (Refereegranskat)
Ort, förlag, år, upplaga, sidor
Bologna, Italy: IEEE, 2007
Nyckelord
policy, privacy, semantic web
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-37670 (URN)10.1109/POLICY.2007.39 (DOI)37265 (Lokalt ID)37265 (Arkivnummer)37265 (OAI)
Konferens
IEEE Workshop on Policies for Distributed Systems and Networks,2007
Tillgänglig från: 2009-10-10 Skapad: 2009-10-10 Senast uppdaterad: 2018-01-13
Herzog, A. & Shahmehri, N. (2007). Usability and security of personal firewalls. In: International Information Security Conference IFIP TC-11,2007: . Paper presented at International Information Security Conference IFIP TC-11,2007 (pp. 37). New York, NY, USA: Springer Verlag
Öppna denna publikation i ny flik eller fönster >>Usability and security of personal firewalls
2007 (Engelska)Ingår i: International Information Security Conference IFIP TC-11,2007, New York, NY, USA: Springer Verlag , 2007, s. 37-Konferensbidrag, Publicerat paper (Refereegranskat)
Ort, förlag, år, upplaga, sidor
New York, NY, USA: Springer Verlag, 2007
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-37471 (URN)36087 (Lokalt ID)36087 (Arkivnummer)36087 (OAI)
Konferens
International Information Security Conference IFIP TC-11,2007
Tillgänglig från: 2009-10-10 Skapad: 2009-10-10 Senast uppdaterad: 2018-01-13
Herzog, A. & Shahmehri, N. (2007). Usability and security of personal firewalls. In: New Approaches for Security, Privacy and Trust in Complex Environments: (pp. 37-48). Springer Berlin/Heidelberg
Öppna denna publikation i ny flik eller fönster >>Usability and security of personal firewalls
2007 (Engelska)Ingår i: New Approaches for Security, Privacy and Trust in Complex Environments, Springer Berlin/Heidelberg, 2007, s. 37-48Kapitel i bok, del av antologi (Övrigt vetenskapligt)
Abstract [en]

Effective security of a personal firewall depends on (1) the rule granularity and the implementation of the rule enforcement and (2) the correctness and granularity of user decisions at the time of an alert. A misconfigured or loosely configured firewall may be more dangerous than no firewall at all because of the user’s false sense of security. This study assesses effective security of 13 personal firewalls by comparing possible granularity of rules as well as the usability of rule set-up and its influence on security.

In order to evaluate usability, we have submitted each firewall to use cases that require user decisions and cause rule creation. In order to evaluate the firewalls’ security, we analysed the created rules. In addition, we ran a port scan and replaced a legitimate, network-enabled application with another program to assess the firewalls’ behaviour in misuse cases. We have conducted a cognitive walkthrough paying special attention to user guidance and user decision support.

We conclude that a stronger emphasis on user guidance, on conveying the design of the personal firewall application, on the principle of least privilege and on implications of default settings would greatly enhance both usability and security of personal firewalls.

Ort, förlag, år, upplaga, sidor
Springer Berlin/Heidelberg, 2007
Serie
IFIP International Federation for Information Processing, ISSN 1571-5736, E-ISSN 1861-2288 ; Vol 232
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-14434 (URN)10.1007/978-0-387-72367-9_4 (DOI)978-0-387-72366-2 (ISBN)978-0-387-72367-9 (ISBN)
Tillgänglig från: 2007-04-27 Skapad: 2007-04-27 Senast uppdaterad: 2018-02-20Bibliografiskt granskad
Herzog, A. (2007). Usable Security Policies for Runtime Environments. (Doctoral dissertation). : Institutionen för datavetenskap
Öppna denna publikation i ny flik eller fönster >>Usable Security Policies for Runtime Environments
2007 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

The runtime environments provided by application-level virtual machines such as the Java Virtual Machine or the .NET Common Language Runtime are attractive for Internet application providers because the applications can be deployed on any platform that supports the target virtual machine. With Internet applications, organisations as well as end users face the risk of viruses, trojans, and denial of service attacks. Virtual machine providers are aware of these Internet security risks and provide, for example, runtime monitoring of untrusted code and access control to sensitive resources.

Our work addresses two important security issues in runtime environments. The first issue concerns resource or release control. While many virtual machines provide runtime access control to resources, they do not provide any means of limiting the use of a resource once access is granted; they do not provide so-called resource control. We have addressed the issue of resource control in the example of the Java Virtual Machine. In contrast to others’ work, our solution builds on an enhancement to the existing security architecture. We demonstrate that resource control permissions for Java-mediated resources can be integrated into the regular Java security architecture, thus leading to a clean design and a single external security policy.

The second issue that we address is the usabilityhttps://www.diva-portal.org/liu/webform/form.jsp

DiVA Web Form and security of the setup of security policies for runtime environments. Access control decisions are based on external configuration files, the security policy, which must be set up by the end user. This set-up is security-critical but also complicated and errorprone for a lay end user and supportive, usable tools are so far missing. After one of our usability studies signalled that offline editing of the configuration file is inefficient and difficult for end users, we conducted a usability study of personal firewalls to identify usable ways of setting up a security policy at runtime. An analysis of general user help techniques together with the results from the two previous studies resulted in a proposal of design guidelines for applications that need to set up a security policy. Our guidelines have been used for the design and implementation of the tool JPerM that sets the Java security policy at runtime. JPerM evaluated positively in a usability study and supports the validity of our design guidelines.

Ort, förlag, år, upplaga, sidor
Institutionen för datavetenskap, 2007
Serie
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 1075
Nyckelord
Information security, Usability, Java, Resource control, Virtual machine
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-8809 (URN)978-91-85715-65-7 (ISBN)
Disputation
2007-05-29, Visionen, Hus B, Campus Valla, Linköpings universitet, Linköping, 10:15 (Engelska)
Opponent
Handledare
Tillgänglig från: 2007-04-27 Skapad: 2007-04-27 Senast uppdaterad: 2018-01-13
Herzog, A. & Shahmehri, N. (2007). Usable Set-up of Runtime Security Policies. In: International Symposium on Human Aspects of Information Security and Assurance,2007: . Paper presented at International Symposium on Human Aspects of Information Security and Assurance,2007 (pp. 394-407). Emerald Group Publishing Limited
Öppna denna publikation i ny flik eller fönster >>Usable Set-up of Runtime Security Policies
2007 (Engelska)Ingår i: International Symposium on Human Aspects of Information Security and Assurance,2007, Emerald Group Publishing Limited, 2007, s. 394-407Konferensbidrag, Publicerat paper (Refereegranskat)
Ort, förlag, år, upplaga, sidor
Emerald Group Publishing Limited, 2007
Serie
Information Management & Computer Security, ISSN 0968-5227
Nyckelord
security, usability, Java
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-37684 (URN)37346 (Lokalt ID)37346 (Arkivnummer)37346 (OAI)
Konferens
International Symposium on Human Aspects of Information Security and Assurance,2007
Tillgänglig från: 2009-10-10 Skapad: 2009-10-10 Senast uppdaterad: 2018-01-13
Herzog, A. & Shahmehri, N. (2007). Usable set-up of runtime security policies. Information Management & Computer Security, 15(5), 394-407
Öppna denna publikation i ny flik eller fönster >>Usable set-up of runtime security policies
2007 (Engelska)Ingår i: Information Management & Computer Security, ISSN 0968-5227, Vol. 15, nr 5, s. 394-407Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Purpose: This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these user decisions as a security policy.

Design/methodology/approach: This work is an exploratory study. The authors hypothesised that existing tools for runtime set-up of security policies are not sufficient. As this proved true, as shown in earlier work, they apply usability engineering with user studies to advance the state-of-the-art.

Findings: Little effort has been spent on how security policies can be set up by the lay users for whom they are intended. This work identifies what users want and need for a successful runtime set-up of security policies.

Practical implications: Concrete and verified guidelines are provided for designers who are faced with the task of delegating security decisions to lay users.

Originality/value: The devised guidelines focus specifically on the set-up of runtime security policies and therefore on the design of alert windows.

Nyckelord
Business policy, Data security, Internet, Java
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-14435 (URN)10.1108/09685220710831134 (DOI)
Anmärkning

Special Issue of Information Management & Computer Security: Selected Papers from the HAISA 2007 Symposium.

Tillgänglig från: 2007-04-27 Skapad: 2007-04-27 Senast uppdaterad: 2018-01-13
Herzog, A. & Shahmehri, N. (2007). User help techniques for usable security. In: Proceedings of the 1st Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’07) ACM Press, Boston, MA, USA: . New York: ACM
Öppna denna publikation i ny flik eller fönster >>User help techniques for usable security
2007 (Engelska)Ingår i: Proceedings of the 1st Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’07) ACM Press, Boston, MA, USA, New York: ACM , 2007Kapitel i bok, del av antologi (Övrigt vetenskapligt)
Abstract [en]

There are a number of security-critical applications such as personal firewalls, web browsers and e-mail clients, whose users have little or no security knowledge and are easily confused, even frustrated by menus, messages or dialog boxes that deal with security issues.

While there are evaluations of existing applications and proposals for new approaches or design guidelines for usable security applications, little effort has been invested in determining how applications can help users in security decisions and security tasks. The purpose of this work is to analyse conventional and security-specific user help techniques with regard to their usefulness in supporting lay users in security applications.

We analyse the following help techniques: online documentation, context-sensitive help, wizards, assistants, safe staging and social navigation, and complement these with the tempting alternative of built-in, hidden security. Criteria for the analysis are derived from the type of user questions that can arise in applications and from definitions of when a security application can be called usable.

Designers of security applications can use our analysis as general recommendations for when and how to use and combine user help techniques in security applications, but they can also use the analysis as a template. They can instantiate the template for their specific application to arrive at a concrete analysis of which user help techniques are most suitable in their specific case.

Ort, förlag, år, upplaga, sidor
New York: ACM, 2007
Nyckelord
on-line help, safe staging, social navigation, usable security, user help, wizard
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:liu:diva-14433 (URN)10.1145/1234772.1234787 (DOI)1-59593-635-6 (ISBN)
Anmärkning

Article No. 11

Tillgänglig från: 2007-04-27 Skapad: 2007-04-27 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
Herzog, A. & Shahmehri, N. (2006). A usability study of security policy management. In: Security and Privacy in Dynamic Environments. Proceedings of the 21st International Information Security Conference (IFIP TC-11) (SEC’06): . Paper presented at 21st International Information Security Conference (IFIP TC-11) (SEC’06) (pp. 296-306).
Öppna denna publikation i ny flik eller fönster >>A usability study of security policy management
2006 (Engelska)Ingår i: Security and Privacy in Dynamic Environments. Proceedings of the 21st International Information Security Conference (IFIP TC-11) (SEC’06), 2006, s. 296-306Konferensbidrag, Publicerat paper (Övrigt vetenskapligt)
Abstract [en]

The Java Security Manager is one major security feature of the Java programming language. However, in many Java applications the Security Manager is not enabled because it slows execution time. This paper explores the performance of the Java Security Manager in depth, identifies the permissions with the worst performance and gives advice on how to use the Security Manager in a more efficient way.

Our performance test shows that the CPU execution time penalty varies between 5% and 100% per resource access statement. This extreme range is due to the fact that some resource accesses are costly (such as file and socket access) and therefore hide the performance penalty for the access control check almost completely. The time penalty is much more noticeable with access to main memory resources (such as Java objects).

In order to achieve reasonable response times, it is of utmost importance to tune garbage collection because the Java Security Manager creates short-lived objects during its permission check. Also, the order of permissions in the policy file can be important.

Nyckelord
Java; Performance; Security; Security Manager; Access controller; Permission; Policy; CPU execution time
Nationell ämneskategori
Teknik och teknologier
Identifikatorer
urn:nbn:se:liu:diva-14432 (URN)10.1007/0-387-33406-8_25 (DOI)
Konferens
21st International Information Security Conference (IFIP TC-11) (SEC’06)
Tillgänglig från: 2007-04-27 Skapad: 2007-04-27 Senast uppdaterad: 2014-06-24
Organisationer

Sök vidare i DiVA

Visa alla publikationer