liu.seSearch for publications in DiVA
Change search
Refine search result
1 - 17 of 17
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Duma, Claudiu
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Herzog, Almut
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    Privacy in the Semantic Web: What Policy Languages Have to Offer2007In: IEEE Workshop on Policies for Distributed Systems and Networks,2007, Bologna, Italy: IEEE , 2007, p. 109-Conference paper (Refereed)
  • 2.
    Herzog, Almut
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Secure execution environment for Java electronic services2002Licentiate thesis, monograph (Other academic)
    Abstract [en]

    Private homes are becoming increasingly connected to the Internet in fast and reliable ways. These connections pave the way for networked services, i.e. services that gain their value through their connectivity. Examples of such electronic services (e-services) are services for remote control of household appliances, home health care or infotainment.

    Residential gateways connect the private home with the Internet and are the home access point and one execution platform for e-services. Potentially, a residential gateway runs e-services from multiple providers. The software environment of such a residential gateway is a Java execution environment where e-services execute as Java threads within the Java virtual machine. The isolation of these Java e-services from each other and from their execution environment is the topic of this thesis.

    Although the results of this thesis can be applied to most Java servers-e.g. Javaenabled web browsers, web servers, JXTA, JINI-this work focuses on e-services for the private home and their execution platform. Security for the private home as a prerequisite for end user acceptance is the motivation for this approach.

    This thesis establishes requirements that prevent e-services on the Java execution platform from harming other e-services on the same or other network nodes and that prevent e-services from harming their underlying execution environment. Some of the requirements can be fulfilled by using the existing Java sandbox for access control. Other requirements, concerned with availability of e-services and network nodes, need a modified Java environment that supports resource control and e-service-specific access control. While some of the requirements result in implementation guidelines for Java servers, and in particular for the e-service environment, other requirements have been implemented as a proof of concept. 

  • 3.
    Herzog, Almut
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Usable Security Policies for Runtime Environments2007Doctoral thesis, comprehensive summary (Other academic)
    Abstract [en]

    The runtime environments provided by application-level virtual machines such as the Java Virtual Machine or the .NET Common Language Runtime are attractive for Internet application providers because the applications can be deployed on any platform that supports the target virtual machine. With Internet applications, organisations as well as end users face the risk of viruses, trojans, and denial of service attacks. Virtual machine providers are aware of these Internet security risks and provide, for example, runtime monitoring of untrusted code and access control to sensitive resources.

    Our work addresses two important security issues in runtime environments. The first issue concerns resource or release control. While many virtual machines provide runtime access control to resources, they do not provide any means of limiting the use of a resource once access is granted; they do not provide so-called resource control. We have addressed the issue of resource control in the example of the Java Virtual Machine. In contrast to others’ work, our solution builds on an enhancement to the existing security architecture. We demonstrate that resource control permissions for Java-mediated resources can be integrated into the regular Java security architecture, thus leading to a clean design and a single external security policy.

    The second issue that we address is the usabilityhttps://www.diva-portal.org/liu/webform/form.jsp

    DiVA Web Form and security of the setup of security policies for runtime environments. Access control decisions are based on external configuration files, the security policy, which must be set up by the end user. This set-up is security-critical but also complicated and errorprone for a lay end user and supportive, usable tools are so far missing. After one of our usability studies signalled that offline editing of the configuration file is inefficient and difficult for end users, we conducted a usability study of personal firewalls to identify usable ways of setting up a security policy at runtime. An analysis of general user help techniques together with the results from the two previous studies resulted in a proposal of design guidelines for applications that need to set up a security policy. Our guidelines have been used for the design and implementation of the tool JPerM that sets the Java security policy at runtime. JPerM evaluated positively in a usability study and supports the validity of our design guidelines.

    List of papers
    1. An evaluation of Java application containers according to security requirements
    Open this publication in new window or tab >>An evaluation of Java application containers according to security requirements
    2005 (English)In: Proceedings of the 14th IEEE International Workshops on Enabling Technologies, 2005, p. 178-183Conference paper, Published paper (Refereed)
    Abstract [en]

    Web browsers, Web servers, Java application servers and OSGi frameworks are all instances of Java execution environments that tun more or less untrusted Java applications. In all these environments, Java applications can come from different sources. Consequently, application developers rarely know which other applications exist in the target Java execution environment. This paper investigates the requirements that need to be imposed on such a container from a security point of view and how the requirements have been implemented by different Java application containers. More specifically, we show a general risk analysis considering assets, threats and vulnerabilities of a Java container. This risk analysis exposes generic Java security problems and leads to a set of security requirements. These security requirements are then used to evaluate the security architecture of existing Java containers for Java applications, applets, servlets, OSGi bundles, and Enterprise Java Beans. For comparison, the requirements are also examined for a C++ application.

    National Category
    Engineering and Technology
    Identifiers
    urn:nbn:se:liu:diva-14429 (URN)10.1109/WETICE.2005.18 (DOI)
    Available from: 2007-04-27 Created: 2007-04-27 Last updated: 2009-05-18
    2. Performance of the Java Security Manager
    Open this publication in new window or tab >>Performance of the Java Security Manager
    2005 (English)In: Computers and Security, ISSN 0167-4048, Vol. 24, no 3, p. 192-207Article in journal (Refereed) Published
    Abstract [en]

    The Java Security Manager is one major security feature of the Java programming language. However, in many Java applications the Security Manager is not enabled because it slows execution time. This paper explores the performance of the Java Security Manager in depth, identifies the permissions with the worst performance and gives advice on how to use the Security Manager in a more efficient way.

    Our performance test shows that the CPU execution time penalty varies between 5% and 100% per resource access statement. This extreme range is due to the fact that some resource accesses are costly (such as file and socket access) and therefore hide the performance penalty for the access control check almost completely. The time penalty is much more noticeable with access to main memory resources (such as Java objects).

    In order to achieve reasonable response times, it is of utmost importance to tune garbage collection because the Java Security Manager creates short-lived objects during its permission check. Also, the order of permissions in the policy file can be important.

    Keywords
    Java; Performance; Security; Security Manager; Access controller; Permission; Policy; CPU execution time
    National Category
    Engineering and Technology
    Identifiers
    urn:nbn:se:liu:diva-14430 (URN)10.1016/j.cose.2004.08.006 (DOI)
    Available from: 2007-04-27 Created: 2007-04-27
    3. Using the Java sandbox for resource control
    Open this publication in new window or tab >>Using the Java sandbox for resource control
    2002 (English)In: Proceedings of the 7th Nordic Workshop on Secure IT Systems (NordSec’02), 2002, p. 135-147Conference paper, Published paper (Other academic)
    Keywords
    Java, security, resource control
    National Category
    Engineering and Technology
    Identifiers
    urn:nbn:se:liu:diva-14431 (URN)
    Available from: 2007-04-27 Created: 2007-04-27 Last updated: 2009-05-19
    4. A usability study of security policy management
    Open this publication in new window or tab >>A usability study of security policy management
    2006 (English)In: Security and Privacy in Dynamic Environments. Proceedings of the 21st International Information Security Conference (IFIP TC-11) (SEC’06), 2006, p. 296-306Conference paper, Published paper (Other academic)
    Abstract [en]

    The Java Security Manager is one major security feature of the Java programming language. However, in many Java applications the Security Manager is not enabled because it slows execution time. This paper explores the performance of the Java Security Manager in depth, identifies the permissions with the worst performance and gives advice on how to use the Security Manager in a more efficient way.

    Our performance test shows that the CPU execution time penalty varies between 5% and 100% per resource access statement. This extreme range is due to the fact that some resource accesses are costly (such as file and socket access) and therefore hide the performance penalty for the access control check almost completely. The time penalty is much more noticeable with access to main memory resources (such as Java objects).

    In order to achieve reasonable response times, it is of utmost importance to tune garbage collection because the Java Security Manager creates short-lived objects during its permission check. Also, the order of permissions in the policy file can be important.

    Keywords
    Java; Performance; Security; Security Manager; Access controller; Permission; Policy; CPU execution time
    National Category
    Engineering and Technology
    Identifiers
    urn:nbn:se:liu:diva-14432 (URN)10.1007/0-387-33406-8_25 (DOI)
    Conference
    21st International Information Security Conference (IFIP TC-11) (SEC’06)
    Available from: 2007-04-27 Created: 2007-04-27 Last updated: 2014-06-24
    5. User help techniques for usable security
    Open this publication in new window or tab >>User help techniques for usable security
    2007 (English)In: Proceedings of the 1st Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’07) ACM Press, Boston, MA, USA, New York: ACM , 2007Chapter in book (Other academic)
    Abstract [en]

    There are a number of security-critical applications such as personal firewalls, web browsers and e-mail clients, whose users have little or no security knowledge and are easily confused, even frustrated by menus, messages or dialog boxes that deal with security issues.

    While there are evaluations of existing applications and proposals for new approaches or design guidelines for usable security applications, little effort has been invested in determining how applications can help users in security decisions and security tasks. The purpose of this work is to analyse conventional and security-specific user help techniques with regard to their usefulness in supporting lay users in security applications.

    We analyse the following help techniques: online documentation, context-sensitive help, wizards, assistants, safe staging and social navigation, and complement these with the tempting alternative of built-in, hidden security. Criteria for the analysis are derived from the type of user questions that can arise in applications and from definitions of when a security application can be called usable.

    Designers of security applications can use our analysis as general recommendations for when and how to use and combine user help techniques in security applications, but they can also use the analysis as a template. They can instantiate the template for their specific application to arrive at a concrete analysis of which user help techniques are most suitable in their specific case.

    Place, publisher, year, edition, pages
    New York: ACM, 2007
    Keywords
    on-line help, safe staging, social navigation, usable security, user help, wizard
    National Category
    Computer Sciences
    Identifiers
    urn:nbn:se:liu:diva-14433 (URN)10.1145/1234772.1234787 (DOI)1-59593-635-6 (ISBN)
    Note

    Article No. 11

    Available from: 2007-04-27 Created: 2007-04-27 Last updated: 2018-01-13Bibliographically approved
    6. Usability and security of personal firewalls
    Open this publication in new window or tab >>Usability and security of personal firewalls
    2007 (English)In: New Approaches for Security, Privacy and Trust in Complex Environments, Springer Berlin/Heidelberg, 2007, p. 37-48Chapter in book (Other academic)
    Abstract [en]

    Effective security of a personal firewall depends on (1) the rule granularity and the implementation of the rule enforcement and (2) the correctness and granularity of user decisions at the time of an alert. A misconfigured or loosely configured firewall may be more dangerous than no firewall at all because of the user’s false sense of security. This study assesses effective security of 13 personal firewalls by comparing possible granularity of rules as well as the usability of rule set-up and its influence on security.

    In order to evaluate usability, we have submitted each firewall to use cases that require user decisions and cause rule creation. In order to evaluate the firewalls’ security, we analysed the created rules. In addition, we ran a port scan and replaced a legitimate, network-enabled application with another program to assess the firewalls’ behaviour in misuse cases. We have conducted a cognitive walkthrough paying special attention to user guidance and user decision support.

    We conclude that a stronger emphasis on user guidance, on conveying the design of the personal firewall application, on the principle of least privilege and on implications of default settings would greatly enhance both usability and security of personal firewalls.

    Place, publisher, year, edition, pages
    Springer Berlin/Heidelberg, 2007
    Series
    IFIP International Federation for Information Processing, ISSN 1571-5736, E-ISSN 1861-2288 ; Vol 232
    National Category
    Computer Sciences
    Identifiers
    urn:nbn:se:liu:diva-14434 (URN)10.1007/978-0-387-72367-9_4 (DOI)978-0-387-72366-2 (ISBN)978-0-387-72367-9 (ISBN)
    Available from: 2007-04-27 Created: 2007-04-27 Last updated: 2018-02-20Bibliographically approved
    7. Usable set-up of runtime security policies
    Open this publication in new window or tab >>Usable set-up of runtime security policies
    2007 (English)In: Information Management & Computer Security, ISSN 0968-5227, Vol. 15, no 5, p. 394-407Article in journal (Refereed) Published
    Abstract [en]

    Purpose: This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these user decisions as a security policy.

    Design/methodology/approach: This work is an exploratory study. The authors hypothesised that existing tools for runtime set-up of security policies are not sufficient. As this proved true, as shown in earlier work, they apply usability engineering with user studies to advance the state-of-the-art.

    Findings: Little effort has been spent on how security policies can be set up by the lay users for whom they are intended. This work identifies what users want and need for a successful runtime set-up of security policies.

    Practical implications: Concrete and verified guidelines are provided for designers who are faced with the task of delegating security decisions to lay users.

    Originality/value: The devised guidelines focus specifically on the set-up of runtime security policies and therefore on the design of alert windows.

    Keywords
    Business policy, Data security, Internet, Java
    National Category
    Computer Sciences
    Identifiers
    urn:nbn:se:liu:diva-14435 (URN)10.1108/09685220710831134 (DOI)
    Note

    Special Issue of Information Management & Computer Security: Selected Papers from the HAISA 2007 Symposium.

    Available from: 2007-04-27 Created: 2007-04-27 Last updated: 2018-01-13
    8. An ontology of information security
    Open this publication in new window or tab >>An ontology of information security
    2007 (English)In: International Journal of Information Security and Privacy, ISSN 1930-1650, Vol. 1, no 4, p. 1-23Article in journal (Refereed) Published
    Abstract [en]

    We present a publicly available, OWL-based ontology of information security which models assets, threats, vulnerabilities, countermeasures and their relations. The ontology can be used as a general vocabulary, roadmap, and extensible dictionary of the domain of information security. With its help, users can agree on a common language and definition of terms and relationships. In addition to browsing for information, the ontology is also useful for reasoning about relationships between its entities, for example, threats and countermeasures. The ontology helps answer questions like: Which countermeasures detect or prevent the violation of integrity of data? Which assets are protected by SSH? Which countermeasures thwart buffer overflow attacks? At the moment, the ontology comprises 88 threat classes, 79 asset classes, 133 countermeasure classes and 34 relations between those classes. We provide the means for extending the ontology, and provide examples of the extendibility with the countermeasure classes ‘memory protection’ and ‘source code analysis’. This article describes the content of the ontology as well as its usages, potential for extension, technical implementation and tools for working with it.

    National Category
    Computer Sciences
    Identifiers
    urn:nbn:se:liu:diva-14436 (URN)10.4018/jisp.2007100101 (DOI)
    Available from: 2007-04-27 Created: 2007-04-27 Last updated: 2018-01-13
  • 4.
    Herzog, Almut
    et al.
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Lind, Leili
    Linköping University, Department of Biomedical Engineering, Medical Informatics. Linköping University, The Institute of Technology.
    Network solutions for home health care applications2003In: Technology and Health Care, ISSN 0928-7329, E-ISSN 1878-7401, Vol. 11, no 2, p. 77-87Article in journal (Refereed)
    Abstract [en]

    The growing number of the elderly in industrialised countries is increasing the pressure on respective health care systems. This is one reason for recent trends in the development and expansion of home health care organisations. With Internet access available to everyone and the advent of wireless technologies, advanced telehomecare is a possibility for a large proportion of the population.

    In the near future, one of the authors plans to implement a home health care infrastructure for patients with congestive heart failure and patients with chronic obstructive pulmonary disease. The system is meant to support regular and ad-hoc measurements of medical parameters in patient homes and transmission of measurement data to the home health care provider.

    In this paper we look at network technologies that connect sensors and input devices in the patient home to a home health care provider. We consider wireless and Internet technologies from functional and security-related perspectives and arrive at a recommendation for our system.

    Security and usability aspects of the proposed network infrastructures are explored with special focus on their impact on the patient home.

  • 5.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    A usability study of security policy management2006In: Security and Privacy in Dynamic Environments. Proceedings of the 21st International Information Security Conference (IFIP TC-11) (SEC’06), 2006, p. 296-306Conference paper (Other academic)
    Abstract [en]

    The Java Security Manager is one major security feature of the Java programming language. However, in many Java applications the Security Manager is not enabled because it slows execution time. This paper explores the performance of the Java Security Manager in depth, identifies the permissions with the worst performance and gives advice on how to use the Security Manager in a more efficient way.

    Our performance test shows that the CPU execution time penalty varies between 5% and 100% per resource access statement. This extreme range is due to the fact that some resource accesses are costly (such as file and socket access) and therefore hide the performance penalty for the access control check almost completely. The time penalty is much more noticeable with access to main memory resources (such as Java objects).

    In order to achieve reasonable response times, it is of utmost importance to tune garbage collection because the Java Security Manager creates short-lived objects during its permission check. Also, the order of permissions in the policy file can be important.

  • 6.
    Herzog, Almut
    et al.
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    An evaluation of Java application containers according to security requirements2005In: Proceedings of the 14th IEEE International Workshops on Enabling Technologies, 2005, p. 178-183Conference paper (Refereed)
    Abstract [en]

    Web browsers, Web servers, Java application servers and OSGi frameworks are all instances of Java execution environments that tun more or less untrusted Java applications. In all these environments, Java applications can come from different sources. Consequently, application developers rarely know which other applications exist in the target Java execution environment. This paper investigates the requirements that need to be imposed on such a container from a security point of view and how the requirements have been implemented by different Java application containers. More specifically, we show a general risk analysis considering assets, threats and vulnerabilities of a Java container. This risk analysis exposes generic Java security problems and leads to a set of security requirements. These security requirements are then used to evaluate the security architecture of existing Java containers for Java applications, applets, servlets, OSGi bundles, and Enterprise Java Beans. For comparison, the requirements are also examined for a C++ application.

  • 7.
    Herzog, Almut
    et al.
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Performance of the Java Security Manager2005In: Computers and Security, ISSN 0167-4048, Vol. 24, no 3, p. 192-207Article in journal (Refereed)
    Abstract [en]

    The Java Security Manager is one major security feature of the Java programming language. However, in many Java applications the Security Manager is not enabled because it slows execution time. This paper explores the performance of the Java Security Manager in depth, identifies the permissions with the worst performance and gives advice on how to use the Security Manager in a more efficient way.

    Our performance test shows that the CPU execution time penalty varies between 5% and 100% per resource access statement. This extreme range is due to the fact that some resource accesses are costly (such as file and socket access) and therefore hide the performance penalty for the access control check almost completely. The time penalty is much more noticeable with access to main memory resources (such as Java objects).

    In order to achieve reasonable response times, it is of utmost importance to tune garbage collection because the Java Security Manager creates short-lived objects during its permission check. Also, the order of permissions in the policy file can be important.

  • 8.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems.
    Shahmehri, Nahid
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems.
    Problems Running Untrusted Services as Java Threads2005In: International Workshop on Certification and Security in Inter-Organizational E-Services CSES04,2004, New York, NY, U.S.A: Springer , 2005, p. 19-Conference paper (Refereed)
  • 9.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    Usability and security of personal firewalls2007In: International Information Security Conference IFIP TC-11,2007, New York, NY, USA: Springer Verlag , 2007, p. 37-Conference paper (Refereed)
  • 10.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    Usability and security of personal firewalls2007In: New Approaches for Security, Privacy and Trust in Complex Environments, Springer Berlin/Heidelberg, 2007, p. 37-48Chapter in book (Other academic)
    Abstract [en]

    Effective security of a personal firewall depends on (1) the rule granularity and the implementation of the rule enforcement and (2) the correctness and granularity of user decisions at the time of an alert. A misconfigured or loosely configured firewall may be more dangerous than no firewall at all because of the user’s false sense of security. This study assesses effective security of 13 personal firewalls by comparing possible granularity of rules as well as the usability of rule set-up and its influence on security.

    In order to evaluate usability, we have submitted each firewall to use cases that require user decisions and cause rule creation. In order to evaluate the firewalls’ security, we analysed the created rules. In addition, we ran a port scan and replaced a legitimate, network-enabled application with another program to assess the firewalls’ behaviour in misuse cases. We have conducted a cognitive walkthrough paying special attention to user guidance and user decision support.

    We conclude that a stronger emphasis on user guidance, on conveying the design of the personal firewall application, on the principle of least privilege and on implications of default settings would greatly enhance both usability and security of personal firewalls.

  • 11.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    Usable Set-up of Runtime Security Policies2007In: International Symposium on Human Aspects of Information Security and Assurance,2007, Emerald Group Publishing Limited, 2007, p. 394-407Conference paper (Refereed)
  • 12.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    Usable set-up of runtime security policies2007In: Information Management & Computer Security, ISSN 0968-5227, Vol. 15, no 5, p. 394-407Article in journal (Refereed)
    Abstract [en]

    Purpose: This paper aims to present concrete and verified guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these user decisions as a security policy.

    Design/methodology/approach: This work is an exploratory study. The authors hypothesised that existing tools for runtime set-up of security policies are not sufficient. As this proved true, as shown in earlier work, they apply usability engineering with user studies to advance the state-of-the-art.

    Findings: Little effort has been spent on how security policies can be set up by the lay users for whom they are intended. This work identifies what users want and need for a successful runtime set-up of security policies.

    Practical implications: Concrete and verified guidelines are provided for designers who are faced with the task of delegating security decisions to lay users.

    Originality/value: The devised guidelines focus specifically on the set-up of runtime security policies and therefore on the design of alert windows.

  • 13.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    User help techniques for usable security2007In: Proceedings of the 1st Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’07) ACM Press, Boston, MA, USA, New York: ACM , 2007Chapter in book (Other academic)
    Abstract [en]

    There are a number of security-critical applications such as personal firewalls, web browsers and e-mail clients, whose users have little or no security knowledge and are easily confused, even frustrated by menus, messages or dialog boxes that deal with security issues.

    While there are evaluations of existing applications and proposals for new approaches or design guidelines for usable security applications, little effort has been invested in determining how applications can help users in security decisions and security tasks. The purpose of this work is to analyse conventional and security-specific user help techniques with regard to their usefulness in supporting lay users in security applications.

    We analyse the following help techniques: online documentation, context-sensitive help, wizards, assistants, safe staging and social navigation, and complement these with the tempting alternative of built-in, hidden security. Criteria for the analysis are derived from the type of user questions that can arise in applications and from definitions of when a security application can be called usable.

    Designers of security applications can use our analysis as general recommendations for when and how to use and combine user help techniques in security applications, but they can also use the analysis as a template. They can instantiate the template for their specific application to arrive at a concrete analysis of which user help techniques are most suitable in their specific case.

  • 14.
    Herzog, Almut
    et al.
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Using the Java sandbox for resource control2002In: Proceedings of the 7th Nordic Workshop on Secure IT Systems (NordSec’02), 2002, p. 135-147Conference paper (Other academic)
  • 15.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    Duma, Claudiu
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    An ontology for information security2009In: Techniques and applications for advanced information privacy and security: emerging organizational, ethical and human issues / [ed] Nemadi H, Information Science Reference , 2009, 1, p. 278-301Chapter in book (Other academic)
    Abstract [en]

    Advances in technology are causing new privacy concerns as an increasing number of citizens are engaging in online activities.

    Techniques and Applications for Advanced Information Privacy and Security: Emerging Organizational, Ethical, and Human Issues provides a thorough understanding of issues and concerns in information technology security. An advanced reference source covering topics such as security management, privacy preservation, and authentication, this book outlines the field and provides a basic understanding of the most salient issues in privacy concerns for researchers and practitioners.

    Show more Show less

  • 16.
    Herzog, Almut
    et al.
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    Shahmehri, Nahid
    Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
    Duma, Claudiu
    Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
    An ontology of information security2007In: International Journal of Information Security and Privacy, ISSN 1930-1650, Vol. 1, no 4, p. 1-23Article in journal (Refereed)
    Abstract [en]

    We present a publicly available, OWL-based ontology of information security which models assets, threats, vulnerabilities, countermeasures and their relations. The ontology can be used as a general vocabulary, roadmap, and extensible dictionary of the domain of information security. With its help, users can agree on a common language and definition of terms and relationships. In addition to browsing for information, the ontology is also useful for reasoning about relationships between its entities, for example, threats and countermeasures. The ontology helps answer questions like: Which countermeasures detect or prevent the violation of integrity of data? Which assets are protected by SSH? Which countermeasures thwart buffer overflow attacks? At the moment, the ontology comprises 88 threat classes, 79 asset classes, 133 countermeasure classes and 34 relations between those classes. We provide the means for extending the ontology, and provide examples of the extendibility with the countermeasure classes ‘memory protection’ and ‘source code analysis’. This article describes the content of the ontology as well as its usages, potential for extension, technical implementation and tools for working with it.

  • 17.
    Roback, Kerstin
    et al.
    Linköping University, Department of Medicine and Health Sciences, Health Technology Assessment. Linköping University, The Institute of Technology.
    Herzog, Almut
    Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems. Linköping University, The Institute of Technology.
    Home informatics in healthcare: Assessment guidelines to keep up quality of care and avoid adverse effects2003In: Technology and Health Care - European Society for Engineering and Medicine, ISSN 0928-7329, Vol. 11, no 3, p. 195-206Article in journal (Refereed)
    Abstract [en]

    Due to an ageing population and improved treatment possibilities, a shortage in hospital beds is a fact in many countries. Home healthcare schemes using information technology (IT) are under development as a response to this and with the intention to produce a more cost-effective care. So far it has been shown that home healthcare is beneficial to certain patient groups. The trend is a widening of the criteria for admission to home healthcare, which means treatment in the home of more severe conditions that otherwise would require in-hospital care. Home informatics has the potential to become a means of providing good care at home. In this process, it is important to consider what new risks will be encountered when placing electronic equipment in the home care environment. Continuous assessment and guidance is important in order to achieve a safe and effective care. Based on a review of current knowledge this paper presents an inventory of risks and adverse events specific to this area. It was found that risks and adverse events could stem from technology in itself, from human-technology interaction conditions or from the environment in which the technology is placed. As a result from the risk inventory, this paper proposes guidelines for the planning and assessment of IT-based hospital-at-home schemes . These assessment guidelines are specifically aimed at performance improvement and thus to be considered a complement to the more general guidelines on telehomecare adopted by the American Telemedicine Association (ATA) in October 2002.

1 - 17 of 17
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf