Search results

Security is a vital requirement for software systems. Misuse case models allow system designers to inject security considerations within their designs early in the development cycle rather than patching an end system with security mechanisms after it was developed. The notation and syntactical rules of misuse case models are relatively simple. However, misuse case modeling practitioners are highly vulnerable to modeling pitfalls, creating defective models that can have catastrophic effects downstream in the development cycle. This paper seeks to present a framework that unitizes antipatterns to help remedy defective misuse case models and poor modeling practices.

A repository of antipatterns was constructed and formatted to be machine‐readable whenever possible so that it can be utilized by the proposed framework. The feasibility of the proposed approach was then demonstrated using a real‐world misuse case model of an online bookstore system.

The results indicate that the overall quality and clarity of the bookstore misuse case model is improved by applying the proposed technique and framework.

This research work presents a series of domain‐independent antipatterns. Users of this framework may be interested to develop domain‐dependent antipatterns to better suit their modeling and development needs.

The proposed approach will help misuse case modelers, especially novice ones, to improve the quality of their current models as well as future models.

The purpose of this paper is to determine whether the diagnosis of both carers’ mental health problems and substance misuse increase the likelihood of recurrent child maltreatment over and above the individual effects of these factors.

Retrospective secondary data analysis of 29,455 children where child maltreatment was confirmed in the Victorian child protection system between 2001 and 2005. Recorded mental health, alcohol misuse and other drug misuse variables were entered into multivariate logistic regression models predicting repeated child maltreatment. Interactions and a range of other child, carer and socio-economic factors were included in these models.

Carer alcohol misuse, other drug misuse and mental ill health all independently predicted recurrent child maltreatment. The presence of both other drug misuse and mental ill health increased the likelihood that recurrent child abuse was recorded over the likelihood that mental health alone predicted recurrent child maltreatment, and while alcohol misuse had an effect when there was no mental health condition recorded it did not have an additional effect when there was evidence of mental health problems.

Children in families where there is both mental health problems and other drug use problems are at greater risk of repeated maltreatment than where there is evidence of mental health problems or other drug use alone. Where there was evidence of carer mental health problems, alcohol misuse did not add to this likelihood. However, the effect of mental health and other drug use was similar in size to the effect of alcohol misuse alone.

These findings add to understandings of the effects of co-occurring mental health problems and substance misuse on recurrent child maltreatment and differentiate between cases that involve alcohol and other drug misuse.

Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety.

This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling.

The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management.

Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well.

Nowadays, most of the software development processes still does not provide appropriate support for the development of secure systems. Rational Unified Process (RUP) is a well‐known software engineering process that provides a disciplined approach to assigning tasks and responsibilities; however, it has little support for development of secure systems. This work aims to present a proposal of RUP for the development of secure systems.

In order to obtain the proposed RUP, the authors consider security as a knowledge area (discipline) and they define workflow, activities and roles according to the architecture of process engineering Unified Method Architecture (UMA). A software development was used to assess qualitatively the extended RUP.

Based on the development, the authors find that the proposed process produces security requirements in a more systematic way and results in the definition of better system architecture.

The proposed extension requires specific adaptation if other development processes such as agile process and waterfall are employed.

The extension facilitates, the management of execution, and control of the activities and tasks related to security and the development teams can benefit by constructing better quality software.

The originality of the paper is the proposal of extension to RUP in order to consider security in a disciplined and organized way.

Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security.

This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality.

The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance.

This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear.

The purpose of this paper is to investigate the use of power in cases of upwards bullying by examining the bases of power that staff members use, and how these bases create power imbalances.

Qualitative, semi-structured interviews were conducted with six managers from several organisations. After completion of each interview, verbatim transcripts were created and examined using NVivo, allowing in-depth thematic analysis. The broad coding schema, developed through a review of the literature, was refined as analysis progressed.

Three major themes emerged: a loss of legitimate power, coercive power, and structural power. The findings suggest a “power cycle” exists in upwards bullying episodes, which is presented diagrammatically. Discussion focusses on the processes that commence with a decrease or loss of a manager’s legitimate power, associated with a lack of organisational support, and staff members’ perceptions of illegitimacy. Managers indicated vulnerability to inappropriate behaviours by staff members, and the potential for greater power imbalances to build due to these behaviours triggering a feedback mechanism, with managers experiencing a further loss of legitimate power.

The study recommends that research into the perspectives of staff members (such as alleged perpetrators) can further strengthen our understanding of the use of power in workplace bullying, and in upwards bullying in particular. Given the applicability of the outcomes of this research to our understanding of workplace bullying, such theory development can also foster practical approaches to addressing workplace bullying within organisations. Understanding the nature of power within workplace bullying processes can inform organisational strategies to disrupt the cycle of inappropriate behaviours, upwards and otherwise.

This study aims to address fundamental questions surrounding accountability within village fund management (VFM) and reporting systems in Indonesia by comparing the number of anomalous data entries with the actual village funds using the VFM data for all Indonesian villages during the period 2018–2020.

The research presents a pioneering methodology for assessing village fund accountability by analyzing data from all Indonesian villages and using investigative journalism and qualitative analysis. It integrates data from various sources, including government regulations, previous investigations, literature, interviews, etc.

This research highlights global challenges in development and governance, revealing common issues such as poor management of village funds and the need for strengthened institutional protection enforcement. Referring to the institutional theory, the authors demonstrate how institutional structures influence community behaviors, emphasizing the importance of regulatory frameworks to prevent misuse of public resources and maintain transparency and accountability across various socio-economic and political contexts.

This study emphasizes the necessity for more transparent and accountable fund management practices and calls for broader consideration of implications beyond government impact.

This research provides insights for international stakeholders to strengthen their public financial systems, through rigorous monitoring and comprehensive reporting systems.

This study provides the most comprehensive sample comprising all villages in Indonesia that receive village funds and measures the use of village funds based on all village-level disbursements, representing unprecedented research using this form of data.

As the set of people using computers becomes larger and less cohesive, it is becoming important to educate users about their ethical responsibilities. Design of an effective campus computer ethics policy requires awareness of numerous cultural, technical and legal issues. Especially important are the cultural splits between power users and utilitarian users, and between “old world” and “new world” philosophies of computer ethics. Discusses those issues and presents the University of Georgia’s ethics policy as a model to aid those developing similar policies at other institutions.

The purpose of this paper is to provide a framework for understanding value‐added and abuse prevention activities in business processes.

The paper considers business processes as a regulation mechanism that an organization uses to survive and flourish in its environment. It proposes a theoretical framework based on the concept of homeostasis, the maintenance of identity in a changing world. In this framework the paper classifies business processes into three levels (strategic, operational, regulative) and analyse the relationships between these three levels. Based on this framework, the paper extends the “Use and Misuse Cases” technique to support modelling of value‐added and abuse prevention activities.

The main finding is the importance of considering business processes as regulation mechanisms. Traditionally, business processes are analysed through the goals they are designed to achieve. This paper analyses what the organization aims at maintaining. This makes it possible to explicitly model the potential abuses (threats) to business processes and their associated corrective measures (regulative processes).

Use of this framework enables process designers to explicitly model abuse prevention activities, even though they are traditionally considered as not participating in customer value creation. This should lead to better‐fitting business processes.

The framework is useful because it provides a theoretical justification for the value creation and abuse prevention activities that can be found in business processes. The three levels that we use to analyse business processes (strategic, operational and regulative) constitute an innovation in business process modelling where only two levels (strategic and operational) have been considered thus far. Few, if any, business process theoretical frameworks provide this kind of rationale for abuse prevention activities.

Information systems (IS) research in general and health IS studies, in particular, are prone to a positivity bias – largely focusing on upside gains rather than the potential misuse practices. This paper aims to explore failures in health IS use and shortcomings in data privacy and cybersecurity and to provide an explanatory model for health record misuse.

This research is based on four data sets that we collected through a longitudinal project studying digital health (implementation, use and evaluation), interviews with experts (cybersecurity and digital health) and healthcare stakeholders (health professionals and managers). We applied qualitative analysis to explain health records misuse from a sociotechnical perspective.

We propose a contextualized model of “health records misuse” with two overarching dimensions: data misfit and improper data processing. We explain sub-categories of data misfit: availability misfit, meaning misfit and place misfit, as well as sub-categories of improper data processing: improper interaction and improper use-related actions. Our findings demonstrate how health records misuse can emerge in sociotechnical health systems and impact health service delivery and patient safety.

Through contextualizing system misuse in healthcare, this research advances the understanding of ineffective use and failures in health data protection practices. Our proposed theoretical model provides explanations for unique patterns of IS misuse in healthcare, where data protection failures are consequential for healthcare organizations and patient safety.