Papers by DIMITRIS GRITZALIS
Dependency analysis of critical infrastructures is a computationally intensive problem when deali... more Dependency analysis of critical infrastructures is a computationally intensive problem when dealing with large-scale, cross-sectoral, cascading and common-cause failures. The problem intensifies when attempting a dynamic, time-based dependency analysis. This paper extends a previous graph-based risk analysis methodology to dynamically assess the evolution of cascading failures over time. Various growth models are employed to capture slow, linear and rapidly evolving effects, but instead of using static projections, the evolution of each dependency is " objectified " by a fuzzy system that also considers the effects of nearby dependencies. To achieve this, the impact (and, eventually, risk) of each dependency is quantified on the time axis into a form of many-valued logic. In addition, the methodology is extended to analyze major failures triggered by concurrent common-cause cascading events. A critical infrastructure dependency analysis tool, CIDA, that implements the extended risk-based methodology is described. CIDA is designed to assist decision makers in proactively analyzing dynamic and complex dependency risk paths in two ways: (i) identifying potentially underestimated low risk dependencies and reclassifying them to a higher risk category before they are realized; and (ii) simulating the effectiveness of alternative mitigation controls with different reaction times. Thus, the CIDA tool can be used to evaluate alternative defense strategies for complex, large-scale and multi-sectoral dependency scenarios and to assess their resilience in a cost-effective manner.
Observed and projected climate change, such as increases in temperature , sea level rise and the ... more Observed and projected climate change, such as increases in temperature , sea level rise and the increase in frequency and intensity of extreme weather events, have come to challenge the operation of critical infrastructures (CIs); including CIs in the transport sector, which is an important pillar of our economy and society. Transport, as many other CI sectors, is comprised of complex systems with responsibilities distributed across many different stakeholders. This situation makes integrated adaptation approaches challenging to achieve, requiring appropriate governance and coordinated action. In recent years, climate change adaptation started to emerge as a need for resilient and sustainable infrastructures. Despite the key role of transport and the huge challenges posed by climate change, attention to adaptation for risk reduction at the given sector is relatively low. Good adaptation action requires climate vulnerability analysis and impact knowledge, so it is important that adaptation options are properly identified, evaluated and monitored. This paper aims to detect and analyze global adaptation initiatives in order to classify adaptation options, while focusing on emerging adaptation challenges and opportunities in the transport sector. This will enable stakeholders to improve transport effectiveness and future sustainability, while stimulating what additional actions are needed for climate change adaptation.
Desktop browsers have introduced private browsing mode, a security control which aims to protect ... more Desktop browsers have introduced private browsing mode, a security control which aims to protect users' data that are generated during a private browsing session, by not storing them in the file system. As the Internet becomes ubiquitous, the existence of this security control is beneficial to users, since privacy violations are increasing, while users tend to be more concerned about their privacy when browsing the web in a post-Snowden era. In this context, this work examines the protection that is offered by the private browsing mode of the most popular desktop browsers in Windows (i.e., Chrome, Firefox, IE and Opera). Our experiments uncover occasions in which even if users browse the web with a private session, privacy violations exist contrary to what is documented by the browser. To raise the bar of privacy protection that is offered by web browsers, we propose the use of a virtual filesystem as the storage medium of browsers' cache data. We demonstrate with a case study how this countermeasure protects users from the privacy violations, which are previously identified in this work.
Online social networks (OSN) and media indicate and incorporate the shift to interpersonal, horiz... more Online social networks (OSN) and media indicate and incorporate the shift to interpersonal, horizontal and mutual communication and, thus information aggregation. In our previous research we have demonstrated that it is possible and potentially trivial to extract personal sensitive information such as political beliefs and psychosocial about OSN users in an automated manner. Our research highlights how Web 2.0 and OSNs (YouTube and Twitter) may become a topos of participatory panopticism, an omniopticon in which the many watch the many and can reconstruct sensitive information out of seemingly anonymous data/content. We focus on the results of this type of surveillance that facilitates the exculpation of such penetrating and privacy-violating technologies and amplifies the threshold of societal tolerance towards a panopticon-like state of surveillance. Furthermore, we analyse and discuss implications of data mining as data processing with focus on the new European law and the legal framework in the USA.
Please cite this article as: George Stergiopoulos, Panayiotis Katsaros, Dimitris Gritzalis, Progr... more Please cite this article as: George Stergiopoulos, Panayiotis Katsaros, Dimitris Gritzalis, Program analysis with risk-based classification of dynamic invariants for logical error detection, Computers & Security (2017), http://dx.doi.org/
Session 1-Secure and Trusted Virtual Organisations-Addressing Cultural Dissimilarity in the Information Security Management Outsourcing Relationship
Addressing Cultural Dissimilarity in the Information Security Management Outsourcing Relationship
Lecture Notes in Computer Science, 2007
... Security Management Outsourcing Relationship Aggeliki Tsohou1, Marianthi Theoharidou2,Spyros ... more ... Security Management Outsourcing Relationship Aggeliki Tsohou1, Marianthi Theoharidou2,Spyros Kokolakis1, and Dimitris Gritzalis2 ... Computers & Security 24(3), 246260 (2005) 14. Karyda, M., Mitrou, E., Quirchmayr, G.: A framework for outsourcing IS/IT security services. ...
A Knowledge-Based Repository Model for Security Policies Management
Lecture Notes in Computer Science, 2003
ABSTRACT Most organizations currently build customized security policies by extending the princip... more ABSTRACT Most organizations currently build customized security policies by extending the principles and guidelines suggested by generic security policies. This method cannot guarantee that the resulting policies are compatible, neither it can ensure that the resulting protection levels are equivalent. We introduce a Security Policies Repository (SPR), which consists of a knowledge base, storing multiple security policies in a structured way. The SPR facilitates the juxtaposition of security policies, in order to detect, analyze, and resolve conflicts, and to compare and negotiate the protection level of each of the co- operating information systems. Reconciliation of security policies is achieved by means of developing mutually accepted meta-policies.
Following the identification on an international basis of cyberspace as a new 'domain of warfare'... more Following the identification on an international basis of cyberspace as a new 'domain of warfare', it has become widely (though not fully) accepted that the traditional rules of International Humanitarian Law are also applicable to Computer Network Attacks (CNAs). Despite the fact that there has been considerable progress at the European and International level towards the development of National Cyber Security Strategies and the adoption of an effective comprehensive legal framework of prevention measures against cyber attacks, there is confusion regarding the application of these rules. More specifically, it has not been clarified: a) in which cases do cyber attacks constitute a 'threat or use of force' so that the prohibition of article 2(4) of the UN Charter can apply, b) in which cases do cyber attacks constitute a 'threat to the peace, breach of the peace, or act of aggression' so that the Security Council may decide upon measures to restore international peace and security under Article 42 of the UN Charter, and c) in which cases cyber attacks can be treated as an 'armed attack', making it possible for a UN Member State to respond by exercising its legitimate right of self-defense under Article 51 of the UN Charter. The difficulty in applying the traditional rules of International Humanitarian Law to categorize cyber attacks stems from a number of factors. The most important of them is the failure to estimate properly the impact of a cyber attack in the host country and in the international environment. Additionally, the inability to positively identify the key actor of an attack makes it often quite hard to handle the issue of 'attribution'. The aim of this paper is to propose a model for detecting the effects of cyber attacks and for enabling their categorization on the basis of their type and intensity. The above method requires the identification of the Critical Information and Communication Infrastructures of each State and their ranking in terms of their intensity and seriousness.
Security policy development for Healthcare Information Systems
Studies in health technology and informatics, 2003
In this paper the issue of security policy development for health information systems is addresse... more In this paper the issue of security policy development for health information systems is addressed. Security policy development involves the definition of the policy content, the analysis of the social, organisational, and technical contexts, as well as the organisation of the policy development process. We present the structure of security policies, analyse the characteristics of the HIS context, and analyse the different categories of methodologies, which can be used towards this end.
Overview on security standards for Healthcare information systems
The intense need for Healthcare information exchange has revealed a lack of interoperability of s... more The intense need for Healthcare information exchange has revealed a lack of interoperability of systems and applications. Security controls, usually based on proprietary methods and techniques, aggravate the current situation. However, timely development of HIS security standards may improve the interoperability and enable the integration of systems. This chapter provides an overview of the standardisation work that is being done by official standardisation organisations in Europe and world-wide.
IFIP Advances in Information and Communication Technology, 2002
Electronic voting has been attracting the attention of governments and research groups with most ... more Electronic voting has been attracting the attention of governments and research groups with most work on the subject referring to the user requirements such a system should satisfy. For several cases, though, requirement identification seldom goes further than a simple narrative description of a basic set of nonfunctional characteristics related to security. On the other hand, governmental reports usually refer to requirements as the set of applicable laws pertaining a certain voting procedure. Both sides seem to underestimate the fact that an electronic voting system is an information system with functional, as well as non-functional, requirements. In this paper we apply the Rational Software Development Process for identifying and presenting the requirements an electronic voting system should meet. The requirements are based on a generic voting model that has been developed having in mind the European Union member states legislation, the organisational details of currently applicable voting procedures and the opportunities offered and the constraints imposed by the state-of-the-art technology.
Draft standard for high level security policies for Healthcare establishments
Session 1-Secure and Trusted Virtual Organisations-Addressing Cultural Dissimilarity in the Information Security Management Outsourcing Relationship
The problem of system-to-system authentication with the use of a password can be effectively faci... more The problem of system-to-system authentication with the use of a password can be effectively facilitated through the use of either a probabilistic protocol or a zero-knowledge model. A combination of these two into a zero-knowledge probabilistic protocol has been demonstrated to be an efficient alternative approach to this problem. In the present paper, this combined protocol is restructured into a formal system-to-system login and authentication scheme, which is demonstrated to be not only secure but also generic and parametric enough to be usable in environments with different technological platforms and/or operational structures.
Social media and Web 2.0 have enabled internet users to contribute online content, which may be c... more Social media and Web 2.0 have enabled internet users to contribute online content, which may be crawled and utilized for a variety of reasons, from personalized advertising to behaviour prediction/profiling. In this paper, our goal is to present a horror and a success story from the digital world of Social Media, in order to: (a). present a political affiliation profiling method, the Panopticon method, in order to reveal this threat and contribute in raising the social awareness over it. (b). describe an insider threat prediction method by evaluating the predisposition towards law enforcement and authorities, a personal psychosocial trait closely connected to the manifestation of malevolent insiders. The experimental test case of both methodologies is an extensive Greek community of YouTube users. In order to demonstrate our cases, we performed graph theoretic and content analysis of the collected dataset and showed how and what kind of personal data can be derived via data mining on publicly available YouTube data. As both methodologies set user's privacy and dignity at stake, we provide the reader with an analysis of the legal means for each case, so as to effectively be prevented from a privacy violation threat and also present the exceptional cases, such as the selection of security officers of critical infrastructures, where such methodologies could be used.
Insider threat is a major issue in cyber and corporate security. In this paper we study the psych... more Insider threat is a major issue in cyber and corporate security. In this paper we study the psychosocial perspective of the insider via social media, Open Source Intelligence, and user generated content classification. Inductively, we propose a prediction method by evaluating the predisposition towards law enforcement and authorities , a personal psychosocial trait closely connected to the manifestation of malevolent insiders. We propose a methodology to detect users holding a negative attitude towards authorities. For doing so we facilitate the use of machine learning techniques and of a dictionary-based approach, so as to detect comments expressing negative attitude. Thus, we can draw conclusions over a user behavior and beliefs via the content the user generated within the limits a social medium. We also use an assumption free flat data representation technique in order to decide over the user's attitude. Furthermore, we compare the results of each method and highlight the common behavior manifested by the users. The demonstration is applied on a crawled community of users on YouTube.
Information systems face several security threats, some of which originate by insiders. This pape... more Information systems face several security threats, some of which originate by insiders. This paper presents a novel, interdisciplinary insider threat prediction model. It combines approaches, techniques, and tools from computer science and psychology. It utilizes real time monitoring , capturing the user's technological trait in an information system and analyzing it for misbehavior. In parallel, the model is using data from psychometric tests, so as to assess for each user the predisposition to malicious acts and the stress level, which is an enabler for the user to overcome his moral inhibitions, under the condition that the collection of such data complies with the legal framework. The model combines the above mentioned information, categorizes users, and identifies those that require additional monitoring, as they can potentially be dangerous for the information system and the organization.
The proliferation of smartphones introduced new challenges in the users' security and privacy. Cu... more The proliferation of smartphones introduced new challenges in the users' security and privacy. Currently, the literature concentrates mainly on the 'nuts and bolts' of their security models. Not extensive work is available on the security awareness of smartphone users, even though their role in the ecosystem is important. This is so, as users' actions directly affect their security and privacy. This paper extends a previous work on the awareness of smart-phone users who install apps from official repositories. More specifically, we explore if a security background affects the smartphone security awareness of the survey participants by splitting them in two groups, comprising of security savvy and non-security savvy users. The results of the statistical analysis indicate , inter alia, that the participants' security background has slight impact on their security awareness in the smartphone ecosystem.
Your article is protected by copyright and all rights are held exclusively by Springer-Verlag. Th... more Your article is protected by copyright and all rights are held exclusively by Springer-Verlag. This e-offprint is for personal use only and shall not be self-archived in electronic repositories. If you wish to self-archive your work, please use the accepted author's version for posting to your own website or your institution's repository. You may further deposit the accepted author's version on a funder's repository at a funder's request, provided it is not made publicly available until 12 months after publication.
Uploads
Papers by DIMITRIS GRITZALIS