Kitsios,Chatzidimitriou,Kamariotou

DOI: https://doi.org/10.3390/su15075828

IF: 3.9

2023-03-28

Sustainability

Abstract:In order to handle their regulatory and legal responsibilities and to retain trustworthy strategic partnerships, enterprises need to be dedicated to guaranteeing the privacy, accessibility, and authenticity of the data at their disposal. Companies can become more resilient in the face of information security threats and cyberattacks by effectively integrating security strategies. The goal of this article is to describe a plan that a corporation has implemented in the information technology industry in order to ensure compliance with International Organization for Standardization (ISO) 27001. This research demonstrates an examination of the reasons that force enterprises to make a investment in ISO 27001 in addition to the incentives that might be acquired from having undergone this process. In addition, the research examines the reasons that push firms to make an investment in ISO 27001. More particularly, the research investigates an international IT consulting services institution that is responsible for the implementation of large-scale business assistance insertion and projects. It demonstrates the risk management framework and the administrative structure of the appropriate situations so that its procedures are adequate and also in line with the guidelines founded by ISO 27001. In conclusion, it discusses the problems and difficulties that were experienced.

environmental sciences,environmental studies,green & sustainable science & technology

Lalitha Sravanti Dasu,Mannav Dhamija,Gurram Dishitha,Ajith Vivekanandan,V. Sarasvathi

DOI: https://doi.org/10.2478/cait-2023-0016

2023-06-01

Cybernetics and Information Technologies

Abstract:Abstract Defending against identity-based threats, which have predominantly increased in the era of remote access and working, requires non-conventional, dynamic, intelligent, and strategic means of authenticating and authorizing. This paper aims at devising detailed risk-scoring algorithms for five real-time use cases to make identity security adaptive and risk-based. Zero-trust principles are incorporated by collecting sign-in logs and analyzing them continually to check for any anomalies, making it a dynamic approach. Users are categorized as risky and non-risky based on the calculated risk scores. While many adaptive security mechanisms have been proposed, they confine identities only to users. This paper also considers devices as having an identity and categorizes them as safe or unsafe devices. Further, results are displayed on a dashboard, making it easy for security administrators to analyze and make wise decisions like multifactor authentication, mitigation, or any other access control decisions as such.

Nikhil Ghadge

DOI: https://doi.org/10.5121/ijci.2024.130401

2024-07-13

International Journal on Cybernetics & Informatics

Abstract:Ensuring the security of digital identities has become increasingly critical in today's interconnected world. This research investigates the intricate difficulties around securing digital identities, spanning technological, human, legal, and regulatory aspects. Key technological hurdles include vulnerabilities in authentication mechanisms, risks associated with biometric data, issues with multi-factor authentication, and challenges in implementing secure hardware. Human factors like social engineering threats, lack of awareness and education, insider threats, and psychological impacts of identity theft further complicate the landscape. Working though legal requirements and adhering to regulations, such as with data protection laws, cross-border data security issues, establishing digital identity standards, and balancing privacy and security concerns pose additional obstacles. The paper highlights the severe implications of unsecured digital identities and provides recommendations for enhancing security through a multi-pronged approach involving technological advancements, educational initiatives, and ethical considerations. The appeal underscores the pressing necessity for continued research. and collaborative efforts to bolster encryption, authentication protocols, and policy enforcement mechanisms in the digital domain.

Abubakar-Sadiq Shehu

2024-09-05

Abstract:Identity Management Systems (IdMs) have complemented how users are identified, authenticated, and authorised on e-services. Among the methods used for this purpose are traditional IdMs (isolated, centralised and federated) that mostly rely on identity providers (IdPs) to broker trust between a user and service-providers (SPs). An IdP also identifies and authenticates a user on-behalf of the SP, who then determines the authorisation of the user. In these processes, both SP and IdP collect, process or store private users' data, which can be prone to breach. One approach to address the data breach is to relieve the IdP, and return control and storage of personal data to the owner. Self-sovereign identity (SSI) was introduced as an IdM model to reduce the possibility of data breaches by offering control of personal data to the owner. SSI is a decentralised IdM, where the data owner has sovereign control of personal data stored in their digital wallet. Since SSI is an emerging technology, its components and methods require careful evaluation. This paper provides an evolution to IdMs and reviews the state-of-the-art SSI frameworks. We explored articles in the literature that reviewed blockchain solutions for General Data Protection Regulation (GDPR). We systematically searched recent SSI and blockchain proposals, evaluated the compliance of the retrieved documents with the GDPR privacy principles, and discussed their potentials, constraints, and limitations. This work identifies potential research gaps and opportunities.

Cryptography and Security

Jongbae Kim

DOI: https://doi.org/10.3390/electronics13193954

IF: 2.9

2024-10-09

Electronics

Abstract:The rapid expansion of non-face-to-face e-commerce services in the Korea has significantly increased the importance of personal identity proofing (PIP) for verifying users in online transactions, such as payments, refunds, membership registrations, and access to age-restricted products. Currently, personal identity proofing agencies (PIPAs) indiscriminately provide all of a user's personal information to internet service providers (ISPs), leading to substantial privacy concerns and preventing users from selectively disclosing only the necessary information. The objective of this paper is to enhance the safety, convenience, and security of PIP services by proposing a method that empowers users to control the personal information they disclose while enabling digital identity integration for both online and offline applications. To achieve this, an extensive overview and analysis of the current PIP systems in Korea is presented, including methods. The strengths and weaknesses of these systems are critically examined, revealing limitations in privacy protection, user convenience, and security. Based on this analysis, a new method is proposed that introduces differentiated levels of PIP means according to authentication strength, allowing for the minimal necessary disclosure of personal information. The proposed method aims to improve the stability and reliability of the PIP service environment by addressing current privacy concerns and enhancing user control over personal information. This approach can be applied to e-commerce services in Korea and other countries facing similar challenges, contributing to the development of safer and more reliable online services.

engineering, electrical & electronic,computer science, information systems,physics, applied

Geoff Goodell,Tomaso Aste

DOI: https://doi.org/10.3389/fbloc.2019.00017

2019-10-27

Abstract:Current architectures to validate, certify, and manage identity are based on centralised, top-down approaches that rely on trusted authorities and third-party operators. We approach the problem of digital identity starting from a human rights perspective, with a primary focus on identity systems in the developed world. We assert that individual persons must be allowed to manage their personal information in a multitude of different ways in different contexts and that to do so, each individual must be able to create multiple unrelated identities. Therefore, we first define a set of fundamental constraints that digital identity systems must satisfy to preserve and promote privacy as required for individual autonomy. With these constraints in mind, we then propose a decentralised, standards-based approach, using a combination of distributed ledger technology and thoughtful regulation, to facilitate many-to-many relationships among providers of key services. Our proposal for digital identity differs from others in its approach to trust in that we do not seek to bind credentials to each other or to a mutually trusted authority to achieve strong non-transferability. Because the system does not implicitly encourage its users to maintain a single aggregated identity that can potentially be constrained or reconstructed against their interests, individuals and organisations are free to embrace the system and share in its benefits.

Computers and Society

Nishant Anand,Irina Brass

DOI: https://doi.org/10.1017/dap.2021.35

2021-01-01

Abstract:Abstract Digital identity (eID) systems are a crucial piece in the digital services ecosystem. They connect individuals to a variety of socioeconomic opportunities but can also reinforce power asymmetries between organizations and individuals. Data collection practices can negatively impact an individual’s right to privacy, autonomy, and self-determination. Protecting individual rights, however, may be at odds with imperatives of profit maximization or national security. The use of eID technologies is hence highly contested. Current approaches to governing eID systems have been unable to fully address the trade-offs between the opportunities and risks associated with these systems. The responsible innovation (RI) literature provides a set of principles to govern disruptive innovations, such as eID systems, toward societally desirable outcomes. This article uses RI principles to develop a framework to govern eID systems in a more inclusive, responsible, and user-centered manner. The proposed framework seeks to complement existing practices for eID system governance by bringing forth principles of deliberation and democratic engagement to build trust amongst stakeholders of the eID system and deliver shared socioeconomic benefits.

Marek Tiits,Tarmo Kalvet,David McBee

2024-12-10

Abstract:This paper addresses critical questions surrounding the security of government-issued identity documents and their potential misuse, with an emphasis on understanding the perspectives of ordinary citizens across Europe and the United States of America. Drawing upon research on technology acceptance and diffusion, the research focuses on understanding the factors that influence users' adoption of novel identity management solutions. Our methodology includes a comprehensive, census-representative survey spanning citizens from France, Germany, Italy, Spain, the United Kingdom, and the USA. The paper's findings underscore a robust confidence in government-issued identity documents, contrasted by a lower trust in private sector services, including social media platforms and email accounts. The adoption of artificial intelligence for identity verification remains contested, with a significant percentage of respondents undecided, indicating a need for explicit explanation and transparency about its implementation and related risks. Public sentiment leans towards acceptance of government data collection for identification purposes; however, the sharing of this data with private entities elicits more apprehension.

Computers and Society

Chetana Pujari,Balachandra Muniyal,Chandrakala C B,Anirudha Rao,Vasudeva Sadiname,Muttukrishnan Rajarajan

DOI: https://doi.org/10.1016/j.compbiomed.2023.107702

Abstract:In response to the evolving landscape of digital technology in healthcare, this study addresses the multifaceted challenges pertaining to identity and data privacy. The core of our key recovery-enabled framework revolves around the establishment of a robust identity verification system, leveraging the World Wide Web Consortium(W3C) standard for verifiable credentials(VC) and a test blockchain network. The approach leverages cryptographic proofs embedded within credentials issued by various entities to securely validate the legitimacy of identities. To ensure standardized identity establishment, the roles and responsibilities of entities align with the UK digital identity and attribute trust framework, resulting in a cohesive verification process. Embracing self-sovereign identity (SSI), encrypted credentials are stored within the owner's device, empowering individuals with data control while prioritizing privacy and security. Furthermore, the work introduces an algorithm that places paramount importance on owner-centricity, trustworthiness, and privacy-aware handling of SSI credentials, subjected to threat modeling through the Owasp Dragon tool. A key recovery algorithm, a key component of our Recovery-Enabled Framework, empowers users to regain credentials using a trustee-based recovery system with a memorized PIN, eliminating the need for third-party reliance. Furthermore, a trust score, a crucial component of the framework, assesses the conformity of verified credentials with stated standards, boosting trust in established identities. Leveraging the modularity of Hyperledger Fabric, the work utilizes smart contracts to impose context-aware attribute-based policies, ensuring controlled access, traceability, and auditability, consequently strengthening security. Through comprehensive development, refinement, and rigorous testing, the prototype emerges as a potent tool for enhancing security within the Digital Health Ecosystem. It equips organizations with the means to navigate this digital landscape while inspiring trust among stakeholders, significantly contributing to the resilience of identity in the digital health ecosystem.

James Pavur,Casey Knerr

DOI: https://doi.org/10.48550/arXiv.1912.00731

2019-12-02

Abstract:The General Data Protection Regulation (GDPR) has become a touchstone model for modern privacy law, in part because it empowers consumers with unprecedented control over the use of their personal information. However, this same power may be susceptible to abuse by malicious attackers. In this paper, we consider how legal ambiguity surrounding the "Right of Access" process may be abused by social engineers. This hypothesis is tested through an adversarial case study of more than 150 businesses. We find that many organizations fail to employ adequate safeguards against Right of Access abuse and thus risk exposing sensitive information to unauthorized third parties. This information varied in sensitivity from simple public records to Social Security Numbers and account passwords. These findings suggest a critical need to improve the implementation of the subject access request process. To this end, we propose possible remediations which may be appropriate for further consideration by government, industry and individuals.

Cryptography and Security,Computers and Society

Shlok Gilda,Tanvi Jain,Aashish Dhalla

DOI: https://doi.org/10.48550/arXiv.2207.02207

2022-07-06

Abstract:Authentication and authorization of a user's identity are generally done by the service providers or identity providers. However, these centralized systems limit the user's control of their own identity and are prone to massive data leaks due to their centralized nature. We propose a blockchain-based identity management system to authenticate and authorize users using attribute-based access control policies and privacy-preserving algorithms and finally returning the control of a user's identity to the user. Our proposed system would use a private blockchain, which would store the re-certification events and data access and authorization requests for users' identities in a secure, verifiable manner, thus ensuring the integrity of the data. This paper suggests a mechanism to digitize documents such as passports, driving licenses, electricity bills, etc., issued by any government authority or other authority in an immutable and secure manner. The data owners are responsible for authenticating and propagating the users' identities as and when needed using the OpenID Connect protocol to enable single sign-on. We use advanced cryptographic algorithms to provide pseudonyms to the users, thus ensuring their privacy. These algorithms also ensure the auditability of transactions as and when required. Our proposed system helps in mitigating some of the issues in the recent privacy debates. The project finds its applications in citizen transfers, inter-country service providence, banks, ownership transfer, etc. The generic framework can also be extended to a consortium of banks, hospitals, etc.

Cryptography and Security

Konstantinos Lampropoulos,Nikos Kyriakoulis,Spyros Denazis

DOI: https://doi.org/10.48550/arXiv.2212.02185

2022-12-05

Abstract:Digital identities today continue to be a company resource instead of belonging to the actual person they represent. At the same time, the digitalization of everyday services intensifies the Identity Management problem and leads to a constant increase of users online identities and identity related data. This paper presents DIMANDS2, a framework capable of organizing identity data that allows service providers and identity issuers securely exchange identity related information in a privacy-enabled manner while the user maintains full control over any activity related to his/her identity data. The framework is format-agnostic and can accommodate any type of identifier (existing or new), without requiring from existing services and providers to implement and adopt another new global identifier.

Cryptography and Security

Michele Guido Mario Lavizzari,Marco Di Luzio,Claudio Tommasino

DOI: https://doi.org/10.69554/siex7783

2021-06-01

Abstract:This paper aims to illustrate how digital identity has become an important element of business transformation in the financial sector and how digital identity is evolving from an asset to support business in a new revenue stream. In an increasingly digitised world, the trusted digital identity assumes the important role of enabling the legal validity of any type of digital transaction. This centrality has attracted huge investments by companies to make the onboarding of online customers and the release of digital credentials to their customer base increasingly effective and frictionless, while preserving compliance and user experience. We illustrate the main models adopted in the current context in which a progressive transfer is taking place from identification processes helped by specialised staff to completely unattended processes. Finally, we show how the digital identity evolution is moving to a new paradigm that will revolutionise the approach to digital identity management. Thanks to the development of Blockchain technologies, digital identity is evolving even further. In the self-sovereign identity (SSI) vision, digital identities will no longer be merely an element to support commercial transactions but a new strategic asset to leverage in order to generate new business. This new paradigm will offer a new business opportunity to banks that will allow them to capitalise their information assets securely in full compliance with the privacy protection regulations, General Data Protection Regulation (GDPR). In the new SSI paradigm, digital identity management of the customer base represents the asset around which financial institutions must leverage to create new value, develop new business models and generate new revenue streams.

Chuan Zhang,Mingyang Zhao,Weiting Zhang,Qing Fan,Jianbing Ni,Liehuang Zhu

DOI: https://doi.org/10.1109/jsac.2023.3345392

IF: 16.4

2023-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Metaverse provides human-centric immersive communication experiences where humans can teleport across different virtual landscapes and build real-time communications via digital identities with others in the same landscape. Despite great benefits, a natural question in human-centric metaverse communications is how to secure digital content among humans. In this regard, blockchain has been widely applied due to its distinct features (e.g., decentralization, transparency, and immutability). Unfortunately, the inherent properties of the blockchain also hinder humans from further deploying preferences to flexibly govern the digital content (i.e., who can read and who can edit), limiting human-centric communication abilities. Some redactable blockchain-based solutions have been proposed, but most of them suffer from the issues of data and preference leakage. To address the issues, we propose a privacy-preserving identity-based data governance (IDRG) scheme for blockchain-empowered human-centric metaverse communications. Combining digital identities, IDRG cryptographically allows humans to govern readability and editability with the right downward compatibility (i.e., humans with editability are endowed with readability) while protecting policy privacy. Specifically, IDRG leverages the polynomial function technique to break through the bottleneck of the traditional identity-based encryption technique (i.e., a policy only contains a user) to achieve a policy for multiple users. Subsequently, the optimized policies are utilized to enrich chameleon hash-based redactable blockchains for comprehensive rights governance. Further, IDRG supports user accountability and revocation by combining the proxy re-encryption technique. Security analysis proves the security of IDRG under the chosen-ciphertext attack. Experiments on the FISCO blockchain platform demonstrate that IDRG requires approximately 0.1 s to process an encryption request, 0.01 s for a reading request, and 1 s for an editing request. Overall, IDRG achieves a 3x reduction in computational costs compared with state-of-the-art solutions.

Fahad Algarni,Saeed Ullah Jan

DOI: https://doi.org/10.1109/access.2024.3382579

IF: 3.9

2024-04-05

IEEE Access

Abstract:The infrastructureless architecture for Internet-of-Drones (IoD) environment regulates drones in airspace for performing tactical tasks. Synergy is crucial for IoD participants; otherwise, complex task completion is impossible because IoD is a newer area that has gained more attention for domestic and commercial usage. However, wireless communication in the IoD environment is prone to numerous threats; security and privacy are among the top challenges. If all the participating entities of IoD become securely authenticated, then information broadcasting will never be confronted by a strong adversary. Therefore, in this research article, we have designed a robust and lightweight security mechanism based on a fuzzy extractor and the MD5 (Message Digest 5) method to authenticate all IoD participants and ensure secure communication. The security analysis of the proposed biometric-based authentication mechanism has been formally verified through a simulation toolkit ProVerif and Random-Oracle Model (ROM) and informally through propositions. The performance metrics of the proposed protocol have been measured by considering communication and computation costs. The result obtained from the security and performance analysis sections shows that the secrecy, reachability, and confidentiality of the session secret key are, of course, ensuring secure information communication for the IoD environment. When comparing it with prior works, the result demonstrated that it can be strongly recommended for practical implementation in the IoD environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chintan Patel,M.P. Aryan,Prosanta Gope,John Clark

DOI: https://doi.org/10.1016/j.cose.2024.103793

IF: 5.105

2024-03-06

Computers & Security

Abstract:Digital Twin (DT) is a revolutionary technology changing how a smart manufacturing industry carries out its day-to-day activities. DT can provide numerous advantages such as real-time synchronised functioning, monitoring and data analysis. However, security and privacy issues in DT have not been thoroughly investigated. This article proposes a user-empowerment-based privacy-preserving authentication protocol for a cloud-based Digital Twin using a Decentralised Identifier (DID) and Verifiable Credential (VC). Here, user empowerment provides full control to users over their identities, and with the help of VC, users can prove their authenticity and preserve their privacy. Although DID has emerged as a promising technology for introducing user empowerment, it suffers from some fundamental problems such as usability and auditability . Here we address all these issues and propose a user-revocation-enabled security solution for the DT. A security analysis of the proposed scheme shows that it is secured against significant security threats. With the help of performance analysis, we prove that the proposed work effectively ensures security and privacy in DT.

computer science, information systems

Mohamed Abomhara,Livinus Obiora Nweke,Sule Yildirim Yayilgan,Debora Comparin,Kristel Teyras,Stéphanie de Labriolle

DOI: https://doi.org/10.1007/s10207-024-00905-0

2024-09-04

International Journal of Information Security

Abstract:Privacy by Design (PbD) is a well-known concept that aims to provide a high level of protection for privacy throughout the entire life cycle of systems development. Despite the considerable attention from stakeholders such as researchers, government agencies, and system suppliers, the widespread adoption of PbD faces obstacles due to a lack of knowledge, insufficient awareness of PbD benefits, and the absence of specific implementation guidelines. In this study, stakeholders are identified primarily as diverse participants from government agencies and system suppliers engaged in National Identification Systems (NIDS). Specifically, government agencies representing regulatory bodies and administrators of NIDS, setting the legal framework that governs the NIDS's privacy aspects. The NIDS system suppliers includes private companies playing a crucial role in the development and implementation of NIDS with a focus on privacy considerations. Through the perspectives of NIDS stakeholders, this study aimed to examine the Knowledge, Attitudes and Practices (KAP) of PbD principles and its integration in NIDS. A survey involving 203 participants from government agencies and NIDS system suppliers engaged in NIDS development was conducted. Subsequently, a focus group discussion was held with 11 members to provide qualitative insights into the KAP of PbD. The survey results revealed a significant correlation between attitudes and practices but a weak correlation between knowledge and attitudes or practices. The focus group discussion assured these findings, emphasizing the role of positive attitudes in facilitating PbD practices and highlighting knowledge-practice gaps. In conclusion, this study offers tailored recommendations for improving the integration of PbD in NIDS development. The recommendations includes strategies such as developing training programs, establishing clear guidelines and standards and creating awareness campaigns.

computer science, information systems, theory & methods, software engineering

Ayanabha Ghosh,Tathagato Das,Sayan Majumder,Abhishek Roy

DOI: https://doi.org/10.1007/978-981-15-5830-6_10

2020-01-01

Abstract:AbstractIndia is striving hard to deliver Citizen centric electronic services within the affordability of populace. For this purpose, service providers have to rely upon internet as public communication medium, which is susceptible to infringement attempts of adversary. To resolve this issue, vital resources like user information should be managed in secure manner. As the state administrator, Government have to play a vital role to gain the trust of user over this electronic service delivery model. To ensure Privacy, Integrity, Non-Repudiation, Authentication (PINA) of electronic transaction, each user (i.e. Citizen) should be uniquely identified from the initial stage of transaction. This approach will prevent unauthorized access of adversary and hence services can be successfully delivered to the intended recipient only. To achieve this objective, in this paper authors have proposed a 3-level user authentication scheme during Citizen to Government to Bank (i.e. C2G2B) type of electronic transaction carried out through a Citizen centric multivariate smart card based connected service delivery model.

Sabrina Kirrane,Javier D. Fernández,Piero Bonatti,Uros Milosevic,Axel Polleres,Rigo Wenning

DOI: https://doi.org/10.48550/arXiv.2001.09461

2020-01-26

Cryptography and Security

Abstract:The European General Data Protection Regulation (GDPR) brings new challenges for companies who must ensure they have an appropriate legal basis for processing personal data and must provide transparency with respect to personal data processing and sharing within and between organisations. Additionally, when it comes to consent as a legal basis, companies need to ensure that they comply with usage constraints specified by data subjects. This paper presents the policy language and supporting ontologies and vocabularies, developed within the SPECIAL EU H2020 project, which can be used to represent data usage policies and data processing and sharing events. We introduce a concrete transparency and compliance architecture, referred to as SPECIAL-K, that can be used to automatically verify that data processing and sharing complies with the data subjects consent. Our evaluation, based on a new compliance benchmark, shows the efficiency and scalability of the system with increasing number of events and users.

Moon-Ho Joo,Sang-Pil Yoon,Hun-Yeong Kwon,Jong-In Lim

DOI: https://doi.org/10.3233/ip-170057

2018-06-29

Information Polity

Abstract:In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information. The purpose of this study is to compare the de-identification policies of the European Union, the United States, Japan, and Korea, all of which are now actively pursuing de-identification policies. Additionally, this study proposes to take a look at the various de-identification policies worldwide and contemplate on these policies in the perspective of risk society and risk-liability theory. The constituencies of the de-identification policies are identified in order to analyze the roles and responsibilities of each of these constituencies thereby providing the theoretical basis on which to initiate the discussions on the distribution of burden and responsibilities arising from the de-identification policies.