Search results

1 – 10 of 11
Article
Publication date: 18 May 2020

Eleni-Laskarina Makri, Zafeiroula Georgiopoulou and Costas Lambrinoudakis

This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the…

Abstract

Purpose

This study aims to assist organizations to protect the privacy of their users and the security of the data that they store and process. Users may be the customers of the organization (people using the offered services) or the employees (users who operate the systems of the organization). To be more specific, this paper proposes a privacy impact assessment (PIA) method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, demonstrating its applicability to two hospital information systems with different characteristics.

Design/methodology/approach

This paper presents a PIA method that employs metrics and takes into account the peculiarities and other characteristics of the organization. The applicability of the method has been demonstrated on two Hospital Information Systems with different characteristics. The aim is to assist the organizations to estimate the criticality of potential privacy breaches and, thus, to select the appropriate security measures for the protection of the data that they collect, process and store.

Findings

The results of the proposed PIA method highlight the criticality of each privacy principle for every data set maintained by the organization. The method employed for the calculation of the criticality level, takes into account the consequences that the organization may experience in case of a security or privacy violation incident on a specific data set, the weighting of each privacy principle and the unique characteristics of each organization. So, the results of the proposed PIA method offer a strong indication of the security measures and privacy enforcement mechanisms that the organization should adopt to effectively protect its data.

Originality/value

The novelty of the method is that it handles security and privacy requirements simultaneously, as it uses the results of risk analysis together with those of a PIA. A further novelty of the method is that it introduces metrics for the quantification of the requirements and also that it takes into account the specific characteristics of the organization.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 8 June 2020

Zafeiroula Georgiopoulou, Eleni-Laskarina Makri and Costas Lambrinoudakis

The purpose of this paper is to give a brief guidance on what a cloud provider should consider and what further actions to take to comply with General Data Protection…

Abstract

Purpose

The purpose of this paper is to give a brief guidance on what a cloud provider should consider and what further actions to take to comply with General Data Protection Regulation (GDPR).

Design/methodology/approach

This paper presents in detail the requirements for GDPR compliance of cloud computing environments, presents the GDPR roles (data controller and data processor) in a cloud environment and discusses the applicability of GDPR compliance requirements for each cloud architecture (Infrastructure as a Service, Platform as a Service, Software as a Service), proposes countermeasures for satisfying the aforementioned requirements and demonstrates the applicability of the aforementioned requirements and countermeasures to a PaaS environment offering services for building, testing, deploying and managing applications through cloud managed data centers. The applicability of the method has been demonstrated on in a PaaS environment that offers services for building, testing, deploying and managing applications through cloud managed data centers.

Findings

The results of the proposed GDPR compliance measures for cloud providers highlight the effort and criticality required from cloud providers to achieve compliance.

Originality/value

Details

Information & Computer Security, vol. 28 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 12 July 2013

Costas Lambrinoudakis

The aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.

1032

Abstract

Purpose

The aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.

Design/methodology/approach

The paper draws conceptually upon an existing security standard's framework and omissions in information privacy compliance frameworks are recognized. As a result, an extended framework of information security and privacy standards is developed. Moreover, taking into account the different attributes and focus of information privacy as compared to information security, the elicitation of usability criteria for web applications and interfaces that will assist users to protect their privacy, is being proposed.

Findings

Within ICT standards numerous information security standards exist, which enable a common understanding of security requirements and promote global rules and practices for security mechanisms. Through their usage, designed information systems ultimately reach a commonly accepted security level and interoperate with other systems in an efficient and secure way. Nevertheless, a similar compliance environment is missing with regard to information privacy. Often security controls are seen as the solution to privacy protection and security compliance frameworks are regarded as guidance to information privacy as well. This is clearly the wrong approach since the main security and privacy attributes are different; information security refers to information stored, processed and transmitted for completing the information system's functions and purpose, while information privacy is the protection of the information's subject identity.

Research limitations/implications

The identified gaps in compliance environments are based on extensive literature review, while the proposed enhancements for the information privacy standards are, at this stage, an opinion‐based piece of work.

Originality/value

Currently, information privacy is treated mostly as a legal compliance requirement and thus is not adequately handled by security standards. The paper provides recommendations and further guidance in managerial, procedural and technical level for handling information privacy.

Article
Publication date: 1 December 2004

George Angelis, Stefanos Gritzalis and Costas Lambrinoudakis

The Grid is widely seen as the next generation Internet. Aims to share dynamic collections of individuals, institutions and resources by providing consistent, easy and…

582

Abstract

The Grid is widely seen as the next generation Internet. Aims to share dynamic collections of individuals, institutions and resources by providing consistent, easy and inexpensive access to high‐end computational capabilities. Studies Grid security and specifically users' access control. It has been proved that the viability of these heterogeneous environments is highly dependent on their security design. Solutions trying to address all aspects of security were proposed by most existing Grid projects and collaborations; however the results were not always satisfactory. Reviews some of the most widely‐accepted security solutions, and collects the most efficient. Emphasizes access control procedures and the solutions addressing authentication and authorization issues. Identifies the most successful security schemes implemented and illustrates their effectiveness. Collects these mechanisms to form the backbone of a security mechanism, addressing authentication and authorization Grid‐specific problems. The proposed schemes can constitute the backbone of an effective Grid security architecture.

Details

Internet Research, vol. 14 no. 5
Type: Research Article
ISSN: 1066-2243

Keywords

Article
Publication date: 23 November 2010

Aggeliki Tsohou, Spyros Kokolakis, Costas Lambrinoudakis and Stefanos Gritzalis

Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is…

2420

Abstract

Purpose

Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that still the majority of organizations does not know the dominant security standards or does not fully implement them. The aim of this paper is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards, and thus, contribute to their adoption.

Design/methodology/approach

The paper adopts a conceptual approach and results in a classification framework for categorizing available information security standards. The classification framework is built in four layers of abstraction, where the initial layer is founded in ISO/IEC 27001:2005 information security management system.

Findings

The paper presents a framework for conceptualizing, categorizing and interconnecting available information security standards dynamically.

Research limitations/implications

The completeness of the information provided in the paper relies on the pace of standards' publications; thus the information security standards that have been classified in this paper need to be updated when new standards are published. However, the proposed framework can be utilized for this constant effort.

Practical implications

Information security practitioners can benefit by the proposed framework for available security standards and effectively invoke the relevant standard each time. Guidelines for utilizing the proposed framework are presented through a case study.

Originality/value

Although the practices proposed are not innovative by themselves, the originality of this work lies on the best practices' linkage into a coherent framework that can facilitate the standards diffusion and systematic adoption.

Details

Information Management & Computer Security, vol. 18 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 1 October 2000

Costas Lambrinoudakis

The continuously increasing need for de‐centralized information systems offering data to the people who need them irrespective of their physical location, as well as the…

2209

Abstract

The continuously increasing need for de‐centralized information systems offering data to the people who need them irrespective of their physical location, as well as the requirement for exchanging information between different but interoperable systems, make the system’s architectural and functional design more complex and in many cases extremely vulnerable in respect to its security attributes. The concept of a “secure portable information file”, that can nowadays be easily implemented through the available smart card technology, can significantly ease information management and ensure maximum data protection in respect to their integrity, confidentiality and availability. This paper presents the use of smart cards in an educational environment as a case‐study example for demonstrating the above mentioned benefits, focussing on the utilization of the smart card’s cryptographic functions for implementing mechanisms capable of providing an extremely secure operational framework in terms of user and application provider authenticity, management of access privileges and data integrity and confidentiality.

Details

Information Management & Computer Security, vol. 8 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 1 October 2006

Dimitrios Lekkas and Costas Lambrinoudakis

Digital signatures are only enjoying a gradual and reluctant acceptance, despite the long existence of the relevant legal and technical frameworks. One of the major…

2120

Abstract

Purpose

Digital signatures are only enjoying a gradual and reluctant acceptance, despite the long existence of the relevant legal and technical frameworks. One of the major drawbacks of client‐generated digital signatures is the requirement for effective and secure management of the signing keys and the complexity of the cryptographic operations that must be performed by the signer. Outsourcing digital signatures to a trusted third party would be an elegant solution to the key management burden. Aims to investigate whether this is legally and technically feasible.

Design/methodology/approach

In this paper's approach a relying party trusts a Signature Authority (SA) for the tokens it issues, rather than a Certification Authority for the certificates it creates in a traditional public key infrastructure scheme.

Findings

The paper argues that passing the control of signature creation to a SA rather than the signer herself, is not a stronger concession than the dependence on an identity certificate issued by a Certification Authority.

Originality/value

The paper proposes a framework for outsourced digital signatures.

Details

Information Management & Computer Security, vol. 14 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

Content available
Article
Publication date: 21 August 2007

320

Abstract

Details

Information Management & Computer Security, vol. 15 no. 4
Type: Research Article
ISSN: 0968-5227

Book part
Publication date: 19 July 2022

Sonal Trivedi and Reena Malik

Introduction: Blockchain is gaining attention in various industries and sectors. It is described as an emergent technology with immense possibilities similar to how the…

Abstract

Introduction: Blockchain is gaining attention in various industries and sectors. It is described as an emergent technology with immense possibilities similar to how the internet has revolutionised how businesses are currently carried out. Still, various sectors have either not adopted or are in a very nascent stage to adopt blockchain technology in their operations. The current research examines how blockchain can be used in the insurance sector. This industry was chosen as it is extremely relevant in today’s world and directly bears its economy.

Purpose: To determine the current and future path in which the insurance industry is moving about blockchain technology adoption and find synergy between blockchain technology and the insurance business.

Need for study: The insurance industry is highly relevant in today’s world and directly bears the country’s economy. Additionally, blockchain is an emergent technology with immense possibilities similar to how the internet has revolutionised how businesses are done. The current research looks at how blockchain can be used in the insurance business.

Methodology: A systematic literature review was conducted in this study by reviewing literature related to blockchain technology and the insurance sector. Science direct was used as a source of information. For this study, the literature review approach was chosen since it allows us to trace the growth of the subject matter and identify the patterns that have formed through time.

Findings: The study found that the insurance sector has recognised the latent benefits of blockchain technology and has begun to develop its usage in selected cases such as fraud prevention and risk assessment.

Practical implications: The current study can be referred to by academicians, marketers, industry people, and policymakers. The study encourages companies and academicians to further investigate the usage of blockchain in insurance.

Details

Big Data: A Game Changer for Insurance Industry
Type: Book
ISBN: 978-1-80262-606-3

Keywords

Article
Publication date: 17 June 2019

Lamya Abdullah and Juan Quintero

The purpose of this study is to propose an approach to avoid having to trust a single entity in cloud-based applications. In cloud computing, data processing is delegated…

Abstract

Purpose

The purpose of this study is to propose an approach to avoid having to trust a single entity in cloud-based applications. In cloud computing, data processing is delegated to a remote party for efficiency and flexibility reasons. A practical user requirement usually is data privacy; hence, the confidentiality and integrity of data processing needs to be protected. In the common scenarios of cloud computing today, this can only be achieved by assuming that the remote party does not in any form act maliciously.

Design/methodology/approach

An approach that avoids having to trust a single entity is proposed. This approach is based on two concepts: the technical abstraction of sealed computation, i.e. a technical mechanism to confine a privacy-aware processing of data within a tamper-proof hardware container, and the role of an auditing party that itself cannot add functionality to the system but is able to check whether the system (including the mechanism for sealed computation) works as expected.

Findings

Discussion and analysis of the abstract, technical and procedural requirements of these concepts and how they can be applied in practice are explained.

Originality/value

A preliminary version of this paper was published in the proceedings of the second International Workshop on SECurity and Privacy Requirements Engineering (SECPRE, 2018).

Details

Information & Computer Security, vol. 27 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of 11