Risk Management, Policies, and Laws
![[topcap]](/images/floating_sidebar_topcap.png){kind=small}
Research Areas
![[bottomcap]](/images/floating_sidebar_bottomcap.png){kind=small}
This area includes tools and methods for understanding the context of security, and how to best allocate resources for protection of assets. This includes research into risk assessment and mitigation methodologies, policy development, the role of law and social pressure on security, economic aspects of security, cross-cultural issues governing security, cyberethics, simulation and modeling of security, and policy languages and proofs.
Transparency and Legal Compliance in Software Systems
This project, involving collaboration between North Carolina State University and Purdue University, addresses the design of Healthcare information systems. Such systems are becoming ubiquitous and thus increasingly subject to attack, misuse and abuse. Specifications and designs of these systems often neglect security and privacy concerns. Moreover, regulations such as HIPAA (Health Insurance Portability and Accountability Act) as well as security and privacy policies are difficult for users to understand and complex for software engineers to use as guides when designing and implementing systems. This project defines mechanisms that are needed to help analysts disambiguate regulations so that they may be clearly specified as software requirements. In addition, regulations are increasingly requiring organizations to comply with the law and account for their actions. Individuals responsible for ensuring compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. Software controls are needed to provide assurances that business processes adhere to specific requirements, especially those derived from government regulations.
To address these challenges, the proposed work takes a holistic view of the design of transparent and legally compliant software systems. Key research questions that are addressed include:
-How should system requirements be specified so they may be realized in design and implementation to ensure legal and regulatory compliance?
-Given that software designs need to satisfy multiple stakeholders (organizations, law/policy makers, government agencies, public citizens, etc.) having contradictory, inconsistent and difficult to understand objectives, how can the design process of these systems be improved to lead to convergence and satisfaction of these requirements in a transparent and auditable fashion?
This project articulates a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. The broader impacts of this project are expected to be far reaching as law and regulations govern the collection, use, transfer and removal of information from software systems in many spheres of society.
Assessing Risk of Insider Threats to Information Systems
Even as tools and technologies are being improved to protect critical national infrastructures against external attack, malicious insiders, intent on damaging an organization or turning a profit, remain a pervasive and challenging problem. In an insider attack, the attacker uses legitimate rights and privileges for inappropriate reasons. Such attacks are difficult to detect and defend against: insiders exist at all levels of an organization; broad internet connectivity enables anyone to be a potential “insider”; technologies enforcing useful access rights either do not exist or are difficult to use;and insiders often do only small, hard-to-detect amounts of damage at a time.
PROJECT OVERVIEW
The Human Behavior, Insider Threat, and Awareness research project, supported by the Institute for Information Infrastructure Protection (I3P),brings together cross-disciplinary researchers at leading national facilities to develop a scalable infrastructure for detecting, monitoring, and preventing insider attacks with due regard for the ethical, legal, and economic needs of users and organizations. Much of the science for understanding insider threats is still immature, with results difficult to measure. This research project will provide a foundation both for understanding insider threats and for developing methods to protect critical infrastructures against insider attacks:
- Early prototypes of new approaches will be available for demonstration and use.
- New insights into enterprise bestpractice will inform training programs that might reshape the ways that employees think about their actions.
- Industry and government stakeholders will have a role in making project solutions useful in their real-world settings.
National Plant Diagnostic Network
The National Plant Diagnostic Network is part of a United States national plant biosecurity program established by the United States Department of Agriculture (USDA) and the Department of Homeland Security (DHS) in June 2002. The NPDN is part of an early warning system for plant pests and disease outbreaks. State departments of agriculture and the USDA Animal and Plant Health Inspection Service (APHIS) rely on the Network to provide early detection and preliminary diagnoses. The Network consists of five regional Network centers and one national database facility. Each NPDN center is located at a land grant university in strategically chosen locations around the US. The regional centers are located at Cornell University (Northeast Region; Ithaca, New York), Kansas State University (Great Plains Region; Manhattan, Kansas), Michigan State University (North Central Region; East Lansing, Michigan), the University of California at Davis (Western Region; Davis, California), and the University of Florida (Southern Region; Gainesville, Florida). The national database is located at Purdue University (West Lafayette, IN). These regional centers provide information technology infrastructure and Internet-based applications for plant diagnostic laboratories in their region. The national database is the central repository for NPDN data.
CERIAS provides information security consulting support to the NPDN. Since January 2004, site security assessments, system administrator training, and diagnostician security awareness efforts have been performed. Based on these efforts, the USDA provided funds specifically for additional information security projects throughout the regional centers. These funds were used to create an information security training and awareness web site for all members of the NPDN as well as a network of automated vulnerability scanning systems deployed at most of the regional centers.
Security Issues for Indiana GIS Data
The State of Indiana is the repository for (and collector of) a significant amount of spatial data. There is a growing need for well-articulated government policy about the public release of such data as a method for communicating government data and information. Much of the related discussion to-date has focused on the data at the individual layer level and whether the data should be sold or not. Additional discussion should be focused on the protection of personal identifiers contained in such data and the potential for exposing both Indiana citizens and corporations to privacy violations. Purdue proposes a study of the services provided by the use of spatial data and, in particular, of the security implications when multiple data layers are joined as a method for advanced communication of geospatial data. This study will lead to policy recommendations for the State of Indiana that will promote the appropriate balance between public information benefits and personal privacy risks. It will also advance the state of the art and practice of information security in general.
