Skip to main content

How Good is a Security Policy against Real Breaches? A HIPAA Case Study

Kafalı, Özgur, Jones, Jasmine, Petruso, Megan, Williams, Laurie, Singh, Munindar P. (2017) How Good is a Security Policy against Real Breaches? A HIPAA Case Study. In: 2017 IEEE/ACM 39th International Conference on Software Engineering. . pp. 530-540. ISBN 978-1-5386-3868-2. (doi:10.1109/ICSE.2017.55)

PDF - Author's Accepted Manuscript
Download (292kB) Preview
[img]
Preview
Official URL
http://dx.doi.org/10.1109/ICSE.2017.55

Abstract

Policy design is an important part of software development. As security breaches increase in variety, designing a security policy that addresses all potential breaches becomes a nontrivial task. A complete security policy would specify rules to prevent breaches. Systematically determining which, if any, policy clause has been violated by a reported breach is a means for identifying gaps in a policy. Our research goal is to help analysts measure the gaps between security policies and reported breaches by developing a systematic process based on semantic reasoning. We propose SEMAVER, a framework for determining coverage of breaches by policies via comparison of individual policy clauses and breach descriptions. We represent a security policy as a set of norms. Norms (commitments, authorizations, and prohibitions) describe expected behaviors of users, and formalize who is accountable to whom and for what. A breach corresponds to a norm violation. We develop a semantic similarity metric for pairwise comparison between the norm that represents a policy clause and the norm that has been violated by a reported breach. We use the US Health Insurance Portability and Accountability Act (HIPAA) as a case study. Our investigation of a subset of the breaches reported by the US Department of Health and Human Services (HHS) reveals the gaps between HIPAA and reported breaches, leading to a coverage of 65%. Additionally, our classification of the 1,577 HHS breaches shows that 44% of the breaches are accidental misuses and 56% are malicious misuses. We find that HIPAA's gaps regarding accidental misuses are significantly larger than its gaps regarding malicious misuses.

Item Type: Conference or workshop item (Proceeding)
DOI/Identification number: 10.1109/ICSE.2017.55
Uncontrolled keywords: Security and privacy breaches, social norms, breach ontology, semantic similarity
Subjects: Q Science > Q Science (General) > Q335 Artificial intelligence
Divisions: Faculties > Sciences > School of Computing
Faculties > Sciences > School of Computing > Security Group
Depositing User: Ozgur Kafali
Date Deposited: 02 Feb 2018 16:23 UTC
Last Modified: 24 Jul 2019 10:26 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/65867 (The current URI for this page, for reference purposes)
  • Depositors only (login required):

Downloads

Downloads per month over past year