S. Faily I. Fléchais



Similar documents
Grounded Theory. 1 Introduction Applications of grounded theory Outline of the design... 2

ORGANISATIONAL CULTURE. Students what do you all think Organizational Culture is? Can you all define it in your own way.

A Theoretical Model of Augmented Reality Acceptance

Secure Software Design in Practice ARES SECSE Workshop

On the attributes of a critical literature review. Saunders, Mark N. K. 1 & Rojon, Céline 2. United Kingdom.

Methodical Notes for part-time BMCF TM study course M_SM / PROJECT MANAGEMENT

Basic underlying assumptions

A methodology for knowledge based project management (Work in progress)

MRS Diploma in Market & Social Research Practice Full Syllabus & Assessment Guidelines

GRCM: A Model for Global Requirements Change Management

The Role of Knowledge Management in Building E-Business Strategy

Introduction to Software Engineering

Management and Leadership in Healthcare

Fuzzy Cognitive Map for Software Testing Using Artificial Intelligence Techniques

COURSE SPECIFICATION DOCUMENT. Business and Economics. Masters of Business Administration. Dr Parviz Dabir-Alai

Investing in renewables

Tales of Empirically Understanding and Providing Process Support for Migrating to Clouds

An ISO Compliant and Integrated Model for IT GRC (Governance, Risk Management and Compliance)

VEER NARMAD SOUTH GUJARAT UNIVERSITY, SURAT. M.A. SEMESTER-III PSYCHOLOGY PAPER CCT 13

Cyber Security Issues on E-Commerce

Data Analytics in Organisations and Business

1. Understanding Big Data

Human Computer Interaction

FINANCE AND ACCOUNTING OUTSOURCING AN EXPLORATORY STUDY OF SERVICE PROVIDERS AND THEIR CLIENTS IN AUSTRALIA AND NEW ZEALAND.

Requirements Engineering Process Models in Practice

Appendix 2: Intended learning outcomes of the Bachelor IBA

Working with College Students: Applying Student Development Theories to Practice. Lacy N. Karpilo, Ph.D Director of Residence Life

Improving Traceability of Requirements Through Qualitative Data Analysis

EFFECT OF ENVIRONMENTAL CONCERN & SOCIAL NORMS ON ENVIRONMENTAL FRIENDLY BEHAVIORAL INTENTIONS

Juliet Corbin and Anselm Strauss. Basics of Qualitative Research: Grounded Theory Procedures and Techniques 3 rd edition (Sage 2008)

Causes of Conflicts for Local Information Technology Managers in Multinational Companies

Developing Software with Scrum in a Small Cross-Organizational Project

Qualitative Data Analysis Week 8 Andre S amuel Samuel

B.Ed. Two Year Programme. F.2: Human Development, Diversity and Learning

How To Understand The Role Of A Nurse As An Advocate

TOWARDS PREDICTABLE B2B CUSTOMER SATISFACTION AND EXPERIENCE MANAGEMENT WITH CONTINUOUS IMPROVEMENT ASSETS AND RICH FEEDBACK

Requirements for Software Deployment Languages and Schema

MaaSter Microsoft Ecosystem Management with MaaS360. Chuck Brown Jimmy Tsang

Stock Market Reaction to Information Technology Investments in the USA and Poland: A Comparative Event Study

The use of Trade-offs in the development of Web Applications

OPEN UNIVERSITY OF TANZANIA FACULTY OF BUSINESS MANAGEMENT

International Journal of Information Technology & Computer Science ( IJITCS ) (ISSN No : ) Volume 6 : Issue on November / December, 2012

Strong Authentication for Microsoft TS Web / RD Web

LONDON SCHOOL OF COMMERCE. Programme Specifications for the. Cardiff Metropolitan University. MSc in International Hospitality Management

A Methodology for Development of Enterprise Architecture of PPDR Organisations W. Müller, F. Reinert

Mobile 2D Barcode/BIM-based Facilities Maintaining Management System

Bringing agility to Business Intelligence Metadata as key to Agile Data Warehousing. 1 P a g e.

Internal Marketing Orientation in Cultural Change Management for Organisation Development

Quality in Use: Meeting User Needs for Quality

The Role of Intangible Assets in Private Health Care Companies

BCS Certificate in Business Analysis Extended Syllabus. Version 2.4 March 2015

Learning Outcomes : On completion of this course students should be able to:

Evaluating Strengths and Weaknesses of Agile Scrum Framework using Knowledge Management

Stepanova Elina EFFECTIVE LEADERSHIP PhD economic science Siberian Federal University Krasnoyarsk

Factors Influencing an Organisation's Intention to Adopt Cloud Computing in Saudi Arabia

Communication Problems in Global Software Development: Spotlight on a New Field of Investigation

Towards a new paradigm of science

Applying the Principle of Least Privilege to Windows 7

The Role of Information Technology Studies in Software Product Quality Improvement

Accounting Problems of Research and Development

Level 4 Diploma in Advanced Hospitality and Tourism Management (VRQ) Qualification Syllabus

SAGGI NEVO Associate Professor Department of Information Technology Management Office: #393 School of Business University at Albany

International group work in software engineering

The "Alignment" Theory: Creating Strategic Fit

Exploring the roles and responsibilities of data centres and institutions in curating research data a preliminary briefing.

Project Planning With IT

Public Health Competency Based Employee Performance Management Self Assessment Tool - Manager/Supervisor

SSS 955 ADVANCED QUALITATIVE RESEARCH METHODOLOGIES

Scaling Down Large Projects to Meet the Agile Sweet Spot

Impact of Organizational Culture on Employee Performance

TEACHING OF INFORMATION ETHICS IN KENYA

Analysis and Design of Knowledge Management Systems for School of Information System at XYZ University (A Case Study Approach)

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

White paper. Supplier Performance Management Driving successful strategies & relationships

LEADERSHIP COMPETENCY FRAMEWORK

This is an author-deposited version published in : Eprints ID : 15447

Transcription:

Making the A theory of security culture for secure and usable grids S. Faily Computing Laboratory University of Oxford UK e-science All Hands Meeting 2008

Why Culture Values conflict. Existing understanding based on inappropriate contexts. Tools are value-free and not contextualised.

1 Grounded Theory [Corbin and Strauss, 2008] analysis from existing literature. 2 Comparative model derived from empirical data. 3 Theoretical and empirical models applied to a secure design process.

Case Studies NeuroGrid A grid based collaborative research environment [Geddes et al, 2006]. 3 clinical exemplars : Stroke, Dementia and Psychosis. Data both sensitive and distributed.

Case Studies Development Lifecycle A software development process for developing secure software [Howard and Lipner, 2006, Microsoft Corporation, 2008]. Pragmatic : based on Microsoft s experience securing Windows 2000,.NET and Windows Server 2003. Prescriptive: guidance for all stages of the secure software development lifecycle.

A combination of tangible and intangible factors within both an organisation s culture and its subcultures. Visible Tangible Socio- Measures Procedural Policy Perception Sub- Cultures Responsibility Socialisation Sub-culture norms In Intangible Compliant Behaviour Label Relation C is-associated-with C2 C1 is-part-of C2 C1 is-cause-of C2

Guideline 1 Have a single,, security policy Statements of management intent. Multiple forms of procedural control lead to multiple security perspectives. Reliance on social networks in lieu of policies. Visible Responsibility In Tangible Socio- Procedural Measures Policy Perception Sub-culture Socialisation norms Compliant Behaviour Intangible Sub- Cultures

Guideline 2 Leverage socialisation Socialisation is the process of developing culturally acceptable beliefs, values and behaviours [Brown, 1998]. Certificate installation as a rite of passage. Compliance and socialisation synonymous in the SDL. Visible Responsibility In Tangible Socio- Procedural Measures Policy Perception Sub-culture Socialisation norms Compliant Behaviour Intangible Sub- Cultures

Guideline 3 Model lines of responsibility Literature : organisational and moral responsibility. NeuroGrid : various and split between technical controls and assets. Ambiguity identified by modelling lines of responsibility before implementing a security policy. Visible Responsibility In Tangible Socio- Procedural Measures Policy Perception Sub-culture Socialisation norms Compliant Behaviour Intangible Sub- Cultures

Guideline 4 Know your subcultures Evident in NeuroGrid when asking users to describe how data was handled. Diffusion of Responsibility [Darley and Latané, 1970]. Understanding values helps to determine whether security will be sacrificed for operational goals. Visible Responsibility In Tangible Socio- Procedural Measures Policy Perception Sub-culture Socialisation norms Compliant Behaviour Intangible Sub- Cultures

Value Sensitive Design and the design process Identifies impacting human values and integrates them into the design process. Conceptual, Empirical and Investigation. Supplements existing design processes. Precedents in secure and usable design [Friedman et al., 2002, Friedman et al., 2005, Friedman et al., 2006] Conceptual Investigation Artifact Investigation Values Direct & Core Indirect Values Stakeholder Values Contexts Empirical Investigation

Augmenting Value Sensitive Design Conceptual Investigation. Augment with additional values. Empirical Investigation. Responsibility modelling. Investigation. Implications of augmenting the approach. Guideline Have a single, security policy Leverage socialisation Model lines of responsibility Understand your subcultures Value Compliant Behaviour Socialisation Responsibility Sub-culture norms

Contributions Culture : what is it and why do we need it. for a healthy security culture. An agenda for incorporating insights into the secure design process.

I Brown, A. (1998). Organisational Culture. Prentice Hall, 2nd edition. Corbin, J. M. and Strauss, A. L. (2008). Basics of qualitative research : techniques and procedures for developing grounded theory. Sage Publications, Inc., 3rd edition. Darley, J. M. and Latané, B. (1970). Norms and normative behaviour: field studies of social interdependence. In Berkowitz, L. and Macaulay, J., editors, Altruism and Helping Behaviour. Academic Press.

II Friedman, B., Howe, D., and Felten, E. (2002). Informed consent in the mozilla browser: implementing value-sensitive design. System Sciences, 2002. HICSS. Proceedings of the 35th Annual Hawaii International Conference on, pages 10 pp.. Friedman, B., Lin, P., and Miller, J. K. (2005). Informed consent by design. In Cranor, L. F. and Garfinkel, S., editors, and Usability: Designing Secure Systems that People Can Use. O Reilly Media.

III Friedman, B., Smith, I., Kahn Jr., P. H., Consolvo, S., and Selawski, J. (2006). Development of a privacy addendum for open source licenses: Value sensitive design in industry. In Dourish, P. and Friday, A., editors, Ubicomp 2006, LNSC 2006, pages 194 211. Springer-Verlag Berlin Heidelberg. Geddes et al (2006). The challenges of developing a collaborative data and compute grid for neurosciences. Computer-Based Medical Systems, 2006. CBMS 2006. 19th IEEE International Symposium on, pages 81 86.

IV Howard, M. and Lipner, S. (2006). The security development lifecycle: SDL, a process for developing demonstrably more secure software. Microsoft Press, Redmond, Wash. Microsoft Corporation (2008). Microsoft Development Lifecycle (SDL) - version 3.2. http://msdn.microsoft.com/en-gb/library/cc307748.aspx.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information