Kafalı, Özgur, Jones, Jasmine, Petruso, Megan, Williams, Laurie, Singh, Munindar P. (2017) How Good is a Security Policy against Real Breaches? A HIPAA Case Study. In: 2017 IEEE/ACM 39th International Conference on Software Engineering. . pp. 530-540. IEEE ISBN 978-1-5386-3868-2. (doi:10.1109/ICSE.2017.55) (KAR id:65867)
PDF
Author's Accepted Manuscript
Language: English |
|
Download this file (PDF/338kB) |
Preview |
Request a format suitable for use with assistive technology e.g. a screenreader | |
Official URL: http://dx.doi.org/10.1109/ICSE.2017.55 |
Abstract
Policy design is an important part of software development. As security breaches increase in variety, designing a security policy that addresses all potential breaches becomes a nontrivial task. A complete security policy would specify rules to prevent breaches. Systematically determining which, if any, policy clause has been violated by a reported breach is a means for identifying gaps in a policy. Our research goal is to help analysts measure the gaps between security policies and reported breaches by developing a systematic process based on semantic reasoning. We propose SEMAVER, a framework for determining coverage of breaches by policies via comparison of individual policy clauses and breach descriptions. We represent a security policy as a set of norms. Norms (commitments, authorizations, and prohibitions) describe expected behaviors of users, and formalize who is accountable to whom and for what. A breach corresponds to a norm violation. We develop a semantic similarity metric for pairwise comparison between the norm that represents a policy clause and the norm that has been violated by a reported breach. We use the US Health Insurance Portability and Accountability Act (HIPAA) as a case study. Our investigation of a subset of the breaches reported by the US Department of Health and Human Services (HHS) reveals the gaps between HIPAA and reported breaches, leading to a coverage of 65%. Additionally, our classification of the 1,577 HHS breaches shows that 44% of the breaches are accidental misuses and 56% are malicious misuses. We find that HIPAA's gaps regarding accidental misuses are significantly larger than its gaps regarding malicious misuses.
Item Type: | Conference or workshop item (Proceeding) |
---|---|
DOI/Identification number: | 10.1109/ICSE.2017.55 |
Uncontrolled keywords: | Security and privacy breaches, social norms, breach ontology, semantic similarity |
Subjects: | Q Science > Q Science (General) > Q335 Artificial intelligence |
Divisions: | Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing |
Depositing User: | Ozgur Kafali |
Date Deposited: | 02 Feb 2018 16:23 UTC |
Last Modified: | 05 Nov 2024 11:04 UTC |
Resource URI: | https://kar.kent.ac.uk/id/eprint/65867 (The current URI for this page, for reference purposes) |
- Link to SensusAccess
- Export to:
- RefWorks
- EPrints3 XML
- BibTeX
- CSV
- Depositors only (login required):