News and Events

Abstract: Regulated industries, such as Healthcare and Finance, are starting to move parts of their data and workloads to the public cloud. However, they are still reluctant to trust the public cloud with their most sensitive records, and hence leave them in their premises, leveraging the hybrid cloud architecture. We address the security and performance challenges of big data analytics using a hybrid cloud in a real-life use case from a hospital. In this use case, the hospital collects sensitive patient data and wants to run analytics on it in order to lower antibiotics resistance, a significant challenge in healthcare. We show that it is possible to run large-scale analytics on data that is securely stored in the public cloud encrypted using Apache Parquet Modular Encryption (PME), without significant performance losses even if the secret encryption keys are stored on-premises. PME is a standard mechanism for data encryption and key management, not specific to any public cloud, and therefore helps prevent vendor lock-in. It also provides privacy and integrity guarantees, and enables granular access control to the data. We also present an innovation in PME for lowering the performance hit incurred by calls to the Key Management Service. Our solution therefore enables protecting large amounts of sensitive data in hybrid clouds and still allows to efficiently gain valuable insights from it.

Abstract: Cyber-physical systems and their smart components have a pervasive presence in all our daily activities. Unfortunately, identifying the potential threats and issues in these systems and selecting enough protection is challenging given that such environments combine human, physical and cyber aspects to the system design and implementation. Current threat models and analysis do not take into consideration all three aspects of the analyzed system, how they can introduce new vulnerabilities or protection measures to each other. In this work, we introduce a novel threat model for cyber-physical systems that combines the cyber, physical, and human aspects. Our model represents the system's components relations and security properties by taking into consideration these three aspects. Together with the threat model we also propose a threat analysis method that allows understanding the security state of the system's components. The threat model and the threat analysis have been implemented into an automatic tool, called TAMELESS, that automatically analyzes threats to the system, verifies its security properties, and generates a graphical representation, useful for security architects to identify the proper prevention/mitigation solutions. We show and prove the use of our threat model and analysis with three cases studies from different sectors.

Abstract: The consumer IoT is now prevalent and creates an enormous amount of fine-grained, detailed information about consumers’ everyday actions, personalities, and preferences. Such detailed information brings new and unique privacy challenges. The consumers are not aware of devices that surround them. There is a lack of transparency and absence of support for consumers to control the collection and processing of their personal and sensitive data. This paper reports on a review of state-of-the-art on privacy protection in IoT, with respect to privacy enhancing technologies (PETs) and GDPR-specific privacy principles. Drawing on a thorough analysis of 36 full papers, we identify key privacy challenges in IoT that need to be addressed to provide consumers with transparency and control over their personal data. The privacy challenges we have identified are (1) the lack of technical expertise in privacy notice comprehension, (2) the lack of transparency and control of personal data, and (3) the lack of personalized privacy recommendations.

Abstract: A privacy notice is a document/notification that is addressed to consumers, describing how their personal information will be handled. While browsing the Internet, installing an app on smartphone, setting up a smart sensor or IoT devices in personal spaces, consumers are often asked to consent to privacy notices. Ideally, the consumer is expected to read and understand the notice and give an informed consent. These notices are often lengthy and complicated, containing legal-technical jargons and ambiguous statements describing commercial use of personal data. Most people reflexively choose “I consent”, unknowingly agreeing to unfair-deceptive practices. Given the ubiquity of IoT and thus ubiquity of (personal) data collection, the reliance on notice and consent is inappropriate. In this article, we present the challenges of the notice and consent paradigm, and explore the idea of privacy-assistive solutions to enhance consumer privacy awareness and control in IoT.

Abstract: Technology adoption is often predicted based on little information such as the Perceived ease-of-use and the Perceived usefulness of the technology. Related constructs such as Attitude to use, Behavioral intention to use and External variables cannot be easily operationalised and so are often ignored. However, technology characteristics themselves fail to represent other factors such as potential adopter attitudes and how they react to the opportunities offered by the technology to meet their needs. In a series of three studies, qualitative methods were used to identify, validate and then exploit narrative themes. Based on the short narratives of potential adopters discussing their experiences with a set of cybersecurity tools, we are developing a small-story narrative framework to capture how they respond to the technology contextualised directly within their professional environment. Akin to concepts from adoption frameworks in healthcare intervention studies, we conclude that adopter’s personal response to a technology and how they make sense of it in their environment becomes evident in the narratives they create.

Abstract: The cybersecurity landscape is particularly challenging for SMEs. On the one hand, they must comply with regulation or face legal sanction. But on the other, they may not have the resource or expertise to ensure regulatory compliance, especially since this is not their core business. At the same time, it is also well-attested in the literature that individuals (human actors in the ecosystem) are often targeted for cyber attacks. So, SMEs must also consider their employees but also their clients as potential risks regarding cybersecurity. Finally, it is also known that SMEs working together as part of a single supply chain are reluctant to share cybersecurity status and information. Given all of these challenges, assuming SMEs recognise their responsibility for security, they may be overwhelmed in trying to meet all the associated requirements. There are tools to help support them, of course, assuming they are motivated to engage with such tooling. This paper looks at the following aspects of this overall situation. In a set of four studies, we assess private citizen understanding of cybersecurity and who they believe to be responsible. On that basis, we then consider their attitude to sharing data with service providers. Moving to SMEs, we provide a general overview of their response to the cybersecurity landscape. Finally, we ask four SMEs across different sectors how they respond to cybersecurity tooling. As well as providing an increased understanding of private citizen and SME attitudes to cybersecurity, we conclude that SMEs need not be overwhelmed by their responsibilities. On the contrary, they can take the opportunity to innovate based on their experience with cybersecurity tools.