Biblio

Sets of ideal properties are defined for different kinds of protocols designed for e-commerce applications. These sets are used as a start point in the design and then as a tool to evaluate the quality of the protocols. This is the case of fair exchange protocols and their application to electronic contract signing and certified electronic mail. However, in this area does not exist an agreement about which properties are ideal. Instead we can find properties described by different authors to his convenience. We illustrate the contradictions that appear between some of these properties.

The number of insider threats hitting organizations and big enterprises is rapidly growing. Insider threats occur when trusted employees misuse their permissions on organizational assets. Since insider threats know the organization and its processes, very often they end up undetected. Therefore, there is a pressing need for organizations to adopt preventive mechanisms to defend against insider threats. In this paper, we propose a framework for insiders identification during the early requirement analysis of organizational settings and of its IT systems. The framework supports security engineers in the detection of insider threats and in the prioritization of them based on the risk they represent to the organization. To enable the automatic detection of insider threats, we extend the SI* requirement modeling language with an asset model and a trust model. The asset model allows associating security properties and sensitivity levels to assets. The trust model allows specifying the trust level that a user places in another user with respect to a given permission on an asset. The insider threats identification leverages the trust levels associated with the permissions assigned to users, as well as the sensitivity of the assets to which access is granted. We illustrate the approach based on a patient monitoring scenario.