Advertisement

Towards a Unified Security Evaluation Framework for e-Healthcare Information Systems

  • Charles A. Shoniregun
  • Kudakwashe Dube
  • Fredrick Mtenzi
Part of the Advances in Information Security book series (ADIS, volume 53)

Abstract

The domain of security engineering has developed some agreed core concepts but it lacks comprehensive framework. This could be seen to be particularly the case for e-Healthcare information systems. Evaluation deals with how other people can be convinced that security and privacy protection measures that have been put in place will work. Anderson has defined evaluation of systems as the process of assembling evidence that a system meets, or fails to meet, a prescribed assurance target and identifies two main purposes, which are: to convince one’s superiors that work has been done and completed in compliance with standards and laws and to reassure people who will rely on a product or system. Evaluation is a function of the question of whether the system will actually work, which is termed assurance (Anderson and Cardell, 2008). Thus, the lower the likelihood, the higher the assurance there can be and the higher the likelihood, the less the assurance there can be. This chapter explores the solutions and technologies currently available for evaluating security and privacy problems in e-Healthcare information systems.

Keywords

Information Security Health Information Exchange Security Evaluation Privacy Evaluation Attack Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Mohammad Salim Ahmed, Ehab Al-Shaer, and Latifur Khan. A novel quantitative approach formeasuring network security. In INFOCOM, pages 1957–1965, 2008. doi: 10.1109/INFOCOM.2008.260.Google Scholar
  2. Ehab Al-Shaer, Latifur Khan, and Mohammad Salim Ahmed. A comprehensive objective network security metric framework for proactive security configuration. In CSIIRW ’08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research, pages 1–3, New York, NY, USA, 2008. ACM. ISBN 978-1-60558-098-2. doi: doi.acm.org/10.1145/1413140.1413189.CrossRefGoogle Scholar
  3. Ehab Al-Shaer, Albert G. Greenberg, Charles R. Kalmanek, David A. Maltz, T. S. Eugene Ng, and Geoffrey G. Xie. New frontiers in internet network management. Computer Communication Review, 39(5):37–39, 2009. doi: doi.acm.org/10.1145/1629607.1629615.CrossRefGoogle Scholar
  4. Flora Amato, Valentina Casola, Antonino Mazzeo, and Valeria Vittorini. The rem framework for security evaluation. In ARES, pages 1097–1103, 2008. doi: 10.1109/ARES.2008.95.Google Scholar
  5. C. Lindsay Anderson and Judith B. Cardell. Reducing the variability of wind power generation for participation in day ahead electricity markets. hicss, 0:178, 2008. ISSN 1530-1605. doi: doi.ieeecomputersociety.org/10.1109/HICSS.2008.368.
  6. Joan S. Ash and Kenneth P. Guappone. Qualitative evaluation of health information exchange efforts. Journal of Biomedical Informatics, 40(6, Supplement 1):S33 – S39, 2007. ISSN 1532-0464. doi: DOI:10.1016/j.jbi.2007.08. 001. URL www.sciencedirect.com/science/article/B6WHD-4PJ6GKF-2/2/172c507b314b262b1e40a68006426c41. Developing CommonMethods for Evaluating Health Information Exchange.CrossRefGoogle Scholar
  7. Paul Ashley, Satoshi Hada, Gnter Karjoth, Calvin Powers, and Matthias Schunter. Enterprise privacy authorization language (epal 1.2). Technical report, IBM, 2003. URL www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/index.html.
  8. F. Baader and W. Snyder. Unification theory. In J.A. Robinson and A. Voronkov, editors, Handbook of Automated Reasoning, volume Vol. I, chapter Chapter 8, pages 447 – 533. Elsevier Science Publishers, 2001. URL lat.inf.tu-dresden.de/research/papers/2001/BaaderSnyderHandbook.ps.gz Google Scholar
  9. M. Backes, M. Durmuth, and G. Karjot. Unification in privacy policy evaluation - translating epal into prolog. In Policies for Distributed Systems and Networks, 2004. POLICY 2004. Proceedings. Fifth IEEE International Workshop on, pages 185–188, June 2004. doi: 10.1109/POLICY.2004.1309165.Google Scholar
  10. S.M. Bellovin. On the brittleness of software and the infeasibility of security metrics. Security & Privacy, IEEE, 4(4):96–96, July-Aug. 2006. ISSN 1540-7993. doi: 10.1109/MSP.2006.101.CrossRefGoogle Scholar
  11. Y. Beres, M.C. Mont, J. Griffin, and S. Shiu. Using security metrics coupled with predictive modeling and simulation to assess security processes. In Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on, pages 564–573, Oct. 2009. doi: 10.1109/ESEM.2009.5314213.Google Scholar
  12. Tony Boswell. Smart card security evaluation: Community solutions to intractable problems. Information Security Technical Report, 14(2):57 – 69, 2009. ISSN 1363-4127. doi: DOI:10.1016/j.istr.2009.06.002. URL www.sciencedirect.com/science/article/B6VJC-4WRD6D1-1/2/d597ad103edca1eb284099b28e6df2c8. Smart Card Applications and Security.CrossRefGoogle Scholar
  13. Valentina Casola, Antonino Mazzeo, Nicola Mazzocca, and Valeria Vittorini. A policy-based methodology for security evaluation: A security metric for public key infrastructures. Journal of Computer Security, 15(2):197–229, 2007. ISSN 0926-227X. URL iospress.metapress.com/content/drey94ehayv332m8/.Google Scholar
  14. Kwo-Jean Farn, Shu-Kuo Lin, and Andrew Ren-Wei Fung. A study on information security management system evaluation–assets, threat and vulnerability. Computer Standards & Interfaces, 26(6):501 – 513, 2004. ISSN 0920-5489. doi: DOI:10.1016/j.csi.2004.03.012. URL www.sciencedirect.com/science/article/B6TYV-4C8DCR8-1/2/0dacb11345b748201337279240ef9768.CrossRefGoogle Scholar
  15. Jane Frankland. It security metrics: implementation and standards compliance. Network Security, 2008(6):6 – 9, 2008. ISSN 1353-4858. doi: DOI:10.1016/S1353-4858(08)70075-8. URL www.sciencedirect.com/science/article/B6VJG-4SR10FV-6/2/98d4172be9102ce41def47fb4e2ca77c.CrossRefGoogle Scholar
  16. Ryutaro Fujimoto, Hiroyuki Okamura, and Tadashi Dohi. Security evaluation of an intrusion tolerant system with mrspns. Availability, Reliability and Security, International Conference on, 0:427–432, 2009. doi: doi.ieeecomputersociety.org/10.1109/ARES.2009.143.CrossRefGoogle Scholar
  17. Mohamed Gadelrab, Anas Abou El Kalam, and Yves Deswarte. Manipulation of network traffic traces for security evaluation. Advanced Information Networking and Applications Workshops, International Conference on, 0:1124–1129, 2009. doi: doi.ieeecomputersociety.org/10.1109/WAINA.2009.36.CrossRefGoogle Scholar
  18. M. Geiger and L.F. Cranor. Scrubbing stubborn data: An evaluation of counterforensic privacy tools. Security & Privacy, IEEE, 4(5):16–25, Sept.-Oct. 2006. ISSN 1540-7993. doi: 10.1109/MSP.2006.132.Google Scholar
  19. M. Hecker and T. Dillon. Privacy support and evaluation on an ontological basis. In Data Engineering Workshop, 2007 IEEE 23rd International Conference on, pages 221–227, April 2007. doi: 10.1109/ICDEW.2007.4400995.CrossRefGoogle Scholar
  20. Andrew Jaquith. Security Metrics: Replacing Fear,Uncertainty and Doubt. Addison-Wesley, 2007.Google Scholar
  21. Wayne Johnson. Directions in security metrics research, 2009. URL csrc.nist.gov/publications/nistir/ir7564/nistir-7564 metrics-research.pdf.
  22. Zhang Lufeng, Tang Hong, Cui YiMing, and Zhang JianBo. Network security evaluation through attack graph generation. World Academy of Science, Engineering and Technology, 54:412 – 415, 2009. URL www.waset.org/journals/waset/v54/v54-73.pdf. Google Scholar
  23. E.A. Nichols and G. Peterson. A metrics framework to drive application security improvement. Security & Privacy, IEEE, 5(2):88–91, March-April 2007. ISSN 1540-7993. doi: 10.1109/MSP.2007.26.CrossRefGoogle Scholar
  24. Joseph Pamula, Sushil Jajodia, Paul Ammann, and Vipin Swarup. A weakestadversary security metric for network configuration security analysis. In QoP, pages 31–38, 2006.Google Scholar
  25. David Rice. Geekonomics: The Real Cost of Insecure Software. Addison Wesley, 2008.Google Scholar
  26. O. Sami Saydjari. Is risk a good security metric? In QoP, pages 59–60, 2006.Google Scholar
  27. Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing. Automated generation and analysis of attack graphs. In SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 273, Washington, DC, USA, 2002. IEEE Computer Society. ISBN 0-7695-1543-6.CrossRefGoogle Scholar
  28. R. von Solms, H. van der Haar, S. H. von Solms, and W. J. Caelli. A framework for information security evaluation. Information & Management, 26(3):143 – 153, 1994. ISSN 0378-7206. doi: DOI:10.1016/0378-7206(94)90038-8. URL www.sciencedirect.com/science/article/B6VD0-45P0BVW-7F/2/c14399af664c5a1749e8fad3806ea719 CrossRefGoogle Scholar
  29. Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, and Sushil Jajodia. An attack graph-based probabilistic security metric. In DBSec, pages 283–296, 2008. doi: dx.doi.org/10.1007/978-3-540-70567-322 Google Scholar
  30. Jeannette M. Wing. Attack graph generation and analysis. In ASIACCS ’06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pages 14–14, New York, NY, USA, 2006. ACM. ISBN 1-59593-272-0. doi: doi.acm.org/10.1145/1128817.1128822 CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Charles A. Shoniregun
    • 1
  • Kudakwashe Dube
    • 2
  • Fredrick Mtenzi
    • 3
  1. 1.Infonomics SocietyUnited Kingdom and Ireland
  2. 2.Computer Science and Information Technology School of Engineering & Advanced Technology (SEAT)Massey UniversityNew Zealand
  3. 3.Dublin Institute of TechnologyIreland

Personalised recommendations