Detecting Conflicts of Interest

Slides:



Advertisements
Similar presentations
Alberto Siena. GORE focuses on stakeholders and their goals Effective in specifying requirements that satisfy some properties (e.g., cost/benefit trade-off,
Advertisements

[ §4 : 1 ] 4. Requirements Processes I Overview 4.1Fundamentals 4.2Elicitation 4.3Specification 4.4Verification 4.5Validation Requirements Definition Document.
Giorgini P., EuroPKI Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures Paolo Giorgini Department of.
Information Security considerations for Outsourced ICT Services
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Developing MAS The GAIA Methodology A Brief Summary by António Castro and Prof. Eugénio Oliveira.
1 Methodology for customer relationship management Author : Ricardo Chalmeta From : The Journal of Systems and Software (2006) Report : Yu-Juan Chiu Date.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Origins and Implications
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Session 3 – Information Security Policies
Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.
SEC835 Database and Web application security Information Security Architecture.
1 CREATING A LEARNING ORGANIZATION AND AN ETHICAL ORGANIZATION STRATEGIC MANAGEMENT BUAD 4980.
19 Hospitality Management. 19 Hospitality Management.
SecureTropos ST-Tool A CASE tool for security-aware software requirements analysis Departement of Information and Communication Technology – University.
A Goal-Based Organizational Perspective on Multi-Agent Architectures Manuel Kolp † Paolo Giorgini ‡ John Mylopoulos † † Department of Computer Science.
Context for Accessing IT Resources Lars Kruger and Bastian Grabski Objective: Context based approach that provides individual access to IT resources in.
© Yilmaz “Agent-Directed Simulation – Course Outline” 1 Course Outline Dr. Levent Yilmaz M&SNet: Auburn M&S Laboratory Computer Science &
Secure Systems Research Group - FAU Classifying security patterns E.B.Fernandez, H. Washizaki, N. Yoshioka, A. Kubo.
Ethics - 1 Key Definitions  Moral: “relating to principles of right and wrong”  Ethics: “the discipline of dealing with what is good and bad and with.
Università degli Studi di Zannone, Massacci, MylopoulosSecure Tropos -- 1 Security Requirements Engineering Methodologies Nicola Zannone,
Università degli Studi di Trento Modeling Security Requirements Through Ownership, Permission and Delegation P. Giorgini F.Massacci J. Mylopoulos N. Zannone.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
1 BORDER SECURITY AND MANAGEMENT Intra-service co-operation Inter-agency co-operation Presented by: Visiting expert Goran Krsteski Geneva.
Introduction Complex and large SW. SW crises Expensive HW. Custom SW. Batch execution Structured programming Product SW.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Requirement Engineering for Trust Management : Model, Methodology Reasoning P. Giorgini, F. Massacci, J. Mylopoulos, N. Zannone, “Requirements Engineering.
Requirements Engineering Process
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
 2001 John Mylopoulos STRAW’ Software Architectures as Social Structures John Mylopoulos University of Toronto First ICSE Workshop titled “From.
Requirements Analysis
1 Security and Dependability Organizational Patterns - A Proof of Concept Demo for SERENITY A. Saidane, F. Dalpiaz, V.H. Nguyen, F. Massacci.
Configuration Control (Aliases: change control, change management )
1 Week 5 Software Engineering Fall Term 2015 Marymount University School of Business Administration Professor Suydam.
 The processes used for RE vary widely depending on the application domain, the people involved and the organisation developing the requirements.  However,
Conflict of Interest Policy Once the arrows appear, you can move forward or backward through the presentation.
Requirement Elicitation Nisa’ul Hafidhoh Teknik Informatika
CS457 Introduction to Information Security Systems
Ethics and Moral reasoning
Auditing Concepts.
University of Trento, Italy
Chapter 1 The Systems Development Environment
CHAPTER.2: Requirements Engineering Processes
Software Project Management
ELEC4011 Ethics & Electrical Engineering Practice Hugh Outhred
Chapter 1 The Systems Development Environment
STRATEGY IMPLEMENTATION
Chapter 1 The Systems Development Environment
VENDORS, CONSULTANTS AND USERS
CYB 100 Become Exceptional/ newtonhelp.com. CYB 100 All Assignments For more course tutorials visit uophelp.com is now newtonhelp.com
SECURITY MECHANISM & E-COMMERCE
CONFIDENTIALITY, INTEGRITY, LEGAL INTERCEPTION
Business Ethics.
Chapter 19: Building Systems with Assurance
Ethical questions on the use of big data in official statistics
Requirements Engineering meets Trust Management
Is My Firm-Specific Investment Protected
How to Mitigate the Consequences What are the Countermeasures?
Engineering Secure Software
Chapter 1 The Systems Development Environment
Subject Name: SOFTWARE ENGINEERING Subject Code:10IS51
Public Management Information Systems System Analysis Thursday, August 01, 2019 Hun Myoung Park, Ph.D. Public Management & Policy Analysis Program Graduate.
Presentation transcript:

Detecting Conflicts of Interest Paolo Giorgini, Fabio Massacci, John Mylopoulos, Nicola Zannone Department of Information and Communication Technology University of Trento

Conflicts of Interest Analyzing organizational requirements is fundamental to build secure systems Security is often compromised by exploiting vulnerabilities in the socio-technical system Conflicts of interest are critical in the development of secure systems since “trusted” actors often abuse their position to gain personal advantages e.g., an employee working in Front Office and in Back Office e.g., in the early nineties John Rusnak gained nearly $500.000 in bonuses for fake bank profits by exploiting his trader position at Allied Irish Bank

Some Proposals Proposed a number of classifications and solutions to mitigate conflicts divergences between goals [van Lamsweerde et al.] overlap of the subjects of authorization policies [Moffett et al.] privilege-privilege conflicts and role-role conflicts in role-based access control [Nyanchama et al.] Unfortunately, current solutions are unsatisfactory No analysis of the organizational setting Proposed taxonomies of conflicts are based on mechanisms for preventing them, instead of understanding why and when they occur Solutions hardly make any reference to the legal theory on which they are based

A Law Definition A conflict of interest is “a situation in which a person has a duty to more than one person or organization, but cannot do justice to the actual or potentially adverse interests of both parties. This includes when an individual's personal interests or concerns are inconsistent with the best for a customer, or when a public official's personal interests are contrary to his/her loyalty to public business.” http://dictionary.law.com

Conflict (of Interest) Classification Attorney-in-fact conflict the interests of the delegatee interfere with the interests of the delegator Role conflict an agent is assigned a role whose interests collide with those of the agent Self-monitoring conflict an actor is responsible for monitoring his own behaviour

Secure Tropos Requirements Engineering methodology tailored to model both the organizational environment of a system and the system itself Support modeling and analysis of functional and security requirements Founded on the notions of ownership, provisioning, trust, and delegation define entitlements, capabilities and responsibilities of stakeholders and system's actors and their transfer. Automated Reasoning Support for Security Requirements Analysis

Conflicts of Interest in Secure Tropos Role conflict Attorney-in-fact conflict Self-monitoring conflict

Verification Process Design the requirements model identify stakeholders along with their objectives, entitlements and capabilities identify social relations among stakeholders identify conflicting interests Computer Aided Requirements Engineering Diagrams (automatically) mapped into a Formal Model Check the properties on the Formal Model ← delegateChain(exec,A,B,S1) ʌ neg_contribution(S1,S2) ʌ aims(B,S2)

Conclusion Identify conflicts of interest during the early phases of the software system development process. Investigate the sources of conflicts of interest at requirements (as opposed to policy) level grounding our notions on legal theory Define a clear-cut formalization that allows for automatic detection of conflicts Future Work Define solutions for mitigating conflicts of interest Reconstructing the organizational structure Automatically extracting separation of duty constraints from the requirements model This work is partially supported by MOSTRO, SERENITY, STAMPS and SENSORIA projects