Adib Habbal,Mohamed Khalif Ali,Mustafa Ali Abuzaraida

DOI: https://doi.org/10.1016/j.eswa.2023.122442

IF: 8.5

2023-11-17

Expert Systems with Applications

Abstract:Artificial Intelligence (AI) has become pervasive, enabling transformative advancements in various industries including smart city, smart healthcare , smart manufacturing, smart virtual world and the Metaverse. However, concerns related to risk, trust, and security are emerging with the increasing reliance on AI systems. One of the most beneficial and original solutions for ensuring the reliability and trustworthiness of AI systems is AI Trust, Risk and Security Management (AI TRiSM) framework. Despite being comparatively new to the market, the framework has demonstrated already its effectiveness in various products and AI models. It has successfully contributed to fostering innovation, building trust, and creating value for businesses and society. Due to the lack of systematic investigations in AI TRiSM, we carried out a comprehensive and detailed review to bridge the existing knowledge gaps and provide a better understanding of the framework from both theoretical and technical standpoints. This paper explores various applications of the AI TRiSM framework across different domains, including finance, healthcare, and the Metaverse. Futhermore, the paper discusses the obstacles related to implementing AI TRiSM framework, including adversarial attacks, the constantly changing landscape of threats, ensuring regulatory compliance, addressing skill gaps, and acquiring expertise in the field. Finally, it explores the future directions of AI TRiSM, emphasizing the importance of continual adaptation and collaboration among stakeholders to address emerging risks and promote ethical and enhanced overall security bearing for AI systems.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Nusrat Zahan

DOI: https://doi.org/10.1109/ICSE-Companion58688.2023.00068

2023-05-01

Abstract:Sonatype has recorded an average 700% jump in software supply chain attacks [1], measured by the number of newly-published malicious packages in open-source repositories. The 2022 Synopsys report [2] assessed the reliance of the software industry on open-source software (OSS), and estimated that 97% of applications use OSS and 78% of the code comes from OSS. Practitioners did not anticipate how the software supply chain would become a deliberate attack vector and how the risk of the software supply chain would keep growing. Practitioners are more aware of the supply chain risks and want to know how to detect the implementation of package security practices and the security risk so they can make informed decisions to select dependencies for their projects. The goal of this research is to aid practitioners in producing more secure software products that are resistant to supply chain attacks through the identification and evaluation of actionable security metrics to detect risky components in the dependency graph. To achieve this goal, the thesis presents research on software security metrics evaluation in different ecosystems by leveraging software security frameworks, malicious attack vectors, and the OpenSSF Scorecard project to detect the implementation of secure practices and their significance to security outcomes.

Computer Science,Business,Engineering

Faisal Aqlan

DOI: https://doi.org/10.1016/j.eswa.2015.08.028

IF: 8.5

2016-01-01

Expert Systems with Applications

Abstract:Supply chain risk management (SCRM) has become a critical component of supply chain management with the movement to global supply chains and the increasing occurrence of internal and external risk events. Effective management of supply chain risks requires a comprehensive yet rapid assessment of all the risk factors in the supply chain and their potential impacts. This paper presents a software application framework for rapid risk assessment (RRA) in integrated supply chains. The proposed framework combines qualitative and quantitative methods to assess and prioritize the risks. Qualitative methods are based on surveys used to collect the risk probability and impact data for the main agents in the supply chain (i.e., supplier, customer, manufacturer, etc.). Quantitative methods are based on probability theory and fuzzy logic. Risks are calculated for each agent in the supply chain and are then aggregated per product type. The proposed RRA tool was tested in a manufacturing environment to assess the validity of the proposed framework. Results from the case study showed that the assessment obtained by the proposed framework agrees with what the risk management experts think about the risk levels and priorities in the company.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Nick Lüthi,Christian Matt,Thomas Myrach

DOI: https://doi.org/10.1080/12460125.2020.1859744

2021-02-28

Journal of Decision Systems

Abstract:<span>Many authorities currently use software-based risk-assessment instruments (SBRAIs) to assess a person's potential to commit crimes (e.g. terrorism, sexual assault). SBRAIs promise better, faster, and more consistent decision-making than their paper-based predecessors. The underlying SBRAI classification schema is well-understood, but given the potentially serious ethical consequences of misjudgments, there is a lack of understanding of how a newly introduced IT artefact, or digital transformation, affects the overall process. Applying a value-centric lens and using Value Sensitive Design (VSD), we identify users' most relevant SBRAI values, as well as the existing value tensions between developers and users. We find that various value tensions, which had not been an issue prior to digitization, occur. These are tensions regarding the values traceability, reliability, neutrality, support, and trust. These value tensions often emerge due to misunderstandings and miscommunications that unclear classifications enable. Practitioners should therefore focus on four design guidelines to avoid SBRAI value tensions: constant and accessible information, transparency, isolated use anticipation, and compliance with novice and expert users' requirements.</span>

Xi Yang,Gul Jabeen,Ping Luo,Xiao-Ling Zhu,Mei-Hua Liu

DOI: https://doi.org/10.1007/s11390-018-1843-2

2018-01-01

Abstract:As trust becomes increasingly important in software domain, software trustworthiness - as a complex high-composite concept, has developed into a big challenge people have to face, especially in the current open, dynamic and ever-changing Internet environment. Furthermore, how to recognize and define trust problem from its nature and how to measure software trustworthiness correctly and effectively play a key role in improving users' trust in choosing software. Based on trust theory in the field of humanities and sociology, this paper proposes a measurable S2S (Social-to-Software) software trustworthiness framework, introduces a generalized indicator loss to unify three parts of trustworthiness result, and presents a whole metric solution for software trustworthiness, including the advanced J-M model based on power function and time-loss rate for ability trustworthiness measurement, the fuzzy comprehensive evaluation advanced-model considering effect of multiple short boards for basic standard trustworthiness, and the identity trustworthiness measurement method based on the code homology detecting tools. Finally, it provides a case study to verify that the solution is applicable and effective.

Vincenzo DiLuoffo,William R. Michalson

DOI: https://doi.org/10.54364/aaiml.2023.1155

2023-01-01

Advances in Artificial Intelligence and Machine Learning

Abstract:This paper surveys the area of “Trust Metrics” related to security for autonomous robotic systems. As the robotics industry undergoes a transformation from programmed, task oriented, systems to Artificial Intelligence-enabled learning, these autonomous systems become vulnerable to several security risks, making a security assessment of these systems of critical importance. Therefore, our focus is on a holistic approach for assessing system trust which requires incorporating system, hardware, software, cognitive robustness, and supplier level trust metrics into a unified model of trust. We set out to determine if there were already trust metrics that defined such a holistic system approach. While there are extensive writings related to various aspects of robotic systems such as, risk management, safety, security assurance and so on, each source only covered subsets of an overall system and did not consistently incorporate the relevant costs in their metrics. This paper attempts to put this prior work into perspective, and to show how it might be extended to develop useful systemlevel trust metrics for evaluating complex robotic (and other) systems.

English Else

Javad Ghofrani,Paria Heravi,Kambiz A. Babaei,Mohammad Soorati

DOI: https://doi.org/10.48550/arXiv.2208.01137

2022-08-02

Abstract:Open source projects play a significant role in software production. Most of the software projects reuse and build upon the existing open source projects and libraries. While reusing is a time and cost-saving strategy, some of the key factors are often neglected that create vulnerability in the software system. We look beyond the static code analysis and dependency chain tracing to prevent vulnerabilities at the human factors level. The literature lacks a comprehensive study of the human factors perspective on the issue of trust in reusing open source projects. We performed an interview-based initial study with software developers to get an understanding of the trust issue and limitations among the practitioners. We outline some of the key trust issues in this paper and lay out the first steps toward the trustworthy reuse of software.

Software Engineering

Fang Hou,Slinger Jansen

DOI: https://doi.org/10.1002/smr.2695

2024-06-05

Journal of Software Evolution and Process

Abstract:In this article, we explore current approaches used to evaluate trust in software ecosystems, focusing on analyzing the specific techniques utilized, the primary factors in trust evaluation, the diverse formats for result presentation, as well as the software ecosystem entities considered in the approaches. Third‐party software has streamlined the software engineering process, allowed software engineers to focus on developing more advanced components, and reduced time and cost. This shift has led to software development strategies moving from competition to collaboration, resulting in the concept of software ecosystems, in which internal and external actors work together on shared platforms and place their trust in the ecosystem. However, the increase in shared components has also created challenges, especially in security, as the large dependency trees significantly enlarge a system's attack surface. The situation is made worse by the lack of effective ways to measure and ensure the trustworthiness of these components. In this article, we explore current approaches used to evaluate trust in software ecosystems, focusing on analyzing the specific techniques utilized, the primary factors in trust evaluation, the diverse formats for result presentation, as well as the software ecosystem entities considered in the approaches. Our goal is to provide the status of current trust evaluation approaches, including their limitations. We identify key challenges, including the limited coverage of software ecosystem entities; the objectivity, universality, and environmental impacts of the evaluation approaches; the risk assessment for the evaluation approaches; and the security attacks posed by trust evaluation in these approaches.

computer science, software engineering

Feng Xu,Jing Pan,Wen Lu

DOI: https://doi.org/10.1007/s11390-009-9231-6

2009-01-01

Abstract:Emerging with open environments, the software paradigms, such as open resource coalition and Internetware, present several novel characteristics including user-centric, non-central control, and continual evolution. The goal of obtaining high confidence on such systems is more difficult to achieve. The general developer-oriented metrics and testing-based methods which are adopted in the traditional measurement for high confidence software seem to be infeasible in the new situation. Firstly, the software development is changed from the developer-centric to user-centric, while user's opinions are usually subjective, and cannot be generalized in one objective metric. Secondly, there is non-central control to guarantee the testing on components which formed the software system, and continual evolution makes it impossible to test on the whole software system. Therefore, this paper proposes a trust-based approach that consists of three sequential sub-stages: 1) describing metrics for confidence estimation from users; 2) estimating the confidence of the components based on the quantitative information from the trusted recommenders; 3) estimating the confidence of the whole software system based on the component confidences and their interactions, as well as attempts to make a step toward a reasonable and effective method for confidence estimation of the software system in open environments.

Floris Jansen,Slinger Jansen,Fang Hou

DOI: https://doi.org/10.48550/arXiv.2101.06138

2021-01-15

Abstract:The software ecosystem is a trust-rich part of the world. Collaboratively, software engineers trust major hubs in the ecosystem, such as package managers, repository services, and programming language ecosystems. This trust, however, is often broken by vulnerabilities, ransomware, and abuse from malignant actors. But what is trust? In this paper we explore, through twelve in-depth interviews with software engineers, how they perceive trust in their daily work. From the interviews we conclude three things. First, software engineers make a distinction between an adoption factor and a trust factor when selecting a package. Secondly, while in literature mostly technical factors are considered as the main trust factors, the software engineers in this study conclude that organizational factors are more important. Finally, we find that different kinds of software engineers require different views on trust, and that it is impossible to create one unified perception of trust. Keywords: software ecosystem trust, empirical software engineering, TrustSECO, external software adoption, cross-sectional exploratory interview analysis, trust perception.

Software Engineering

Huascar Sanchez,Briland Hitaj

DOI: https://doi.org/10.48550/arXiv.2210.02656

2022-10-11

Abstract:Open-source is frequently described as a driver for unprecedented communication and collaboration, and the process works best when projects support teamwork. Yet, open-source cooperation processes in no way protect project contributors from considerations of trust, power, and influence. Indeed, achieving the level of trust necessary to contribute to a project and thus influence its direction is a constant process of change, and developers take many different routes over many communication channels to achieve it. We refer to this process of influence-seeking and trust-building as trust ascendancy. This paper describes a methodology for understanding the notion of trust ascendancy and introduces the capabilities that are needed to localize trust ascendancy operations happening over open-source projects. Much of the prior work in understanding trust in open-source software development has focused on a static view of the problem using different forms of quantity measures. However, trust ascendancy is not static, but rather adapts to changes in the open-source ecosystem in response to new input. This paper is the first attempt to articulate and study these signals from a dynamic view of the problem. In that respect, we identify related work that may help illuminate research challenges, implementation tradeoffs, and complementary solutions. Our preliminary results show the effectiveness of our method at capturing the trust ascendancy developed by individuals involved in a well-documented 2020 social engineering attack. Our future plans highlight research challenges and encourage cross-disciplinary collaboration to create more automated, accurate, and efficient ways to model and then track trust ascendancy in open-source projects.

Software Engineering,Machine Learning

Ricardo M. Czekster

2024-09-05

Abstract:DevOps (development and operations), has significantly changed the way to overcome deficiencies for delivering high-quality software to production environments. Past years witnessed an increased interest in embedding DevOps with cybersecurity in an approach dubbed secure DevOps. However, as the practices and guidance mature, teams must consider them within a broader risk context. We argue here how secure DevOps could profit from engaging with risk related activities within organisations. We focus on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle. Our contribution provides a roadmap for enacting secure DevOps alongside risk objectives, devising informed ways to improve TM and establishing effective security underpinnings in organisations focusing on software products and services. We aim to outline proven methods over the literature on the subject discussing case studies, technologies, and tools. It presents a case study for a real-world inspired organisation employing the proposed approach with a discussion. Enforcing these novel mechanisms centred on security requires investment, training, and stakeholder engagement. It requires understanding the actual benefits of automation in light of Continuous Integration/Continuous Delivery settings that improve the overall quality of software solutions reaching the market.

Software Engineering,Cryptography and Security

Karim Djemame,Django J. Armstrong,Mariam Kiran,Ming Jiang

2011-01-01

Abstract:As the realization of Cloud computing environments advances from a simple and single private Cloud towards a more complex Cloud Service Ecosystem consisting of multiple coexisting public or hybrid Clouds, there are emerging high level concerns such as risk, trust, ecological, security, cost and legal factors that underpin the non-functional properties of the ecosystem. These concerns are beyond the traditional focus of providing functionalities at levels close to a single Cloud infrastructure such as hardware resource virtualization. In this paper we present ongoing research work to analyze and address the risk factor in such a Cloud Service Ecosystem for the purpose of optimizing Cloud service. The main contributions of the work are the design and implementation of an effective and efficient risk assessment framework (methodologies of risk identification, evaluation, mitigation and monitoring) for Cloud service provision. Together with the corresponding mitigation strategies, the framework provides technological assurance that will lead to a higher confidence of Cloud service consumers on one side and a cost-effective and reliable productivity of Cloud Service Provider (SP) and resources organized by individual Infrastructure Provider (IP) on the other side. The design of the risk assessment framework and its software toolkit implementation is part of the research and development work of the OPTIMIS (Optimized Infrastructure Services) project whose objective is to enable an open and dependable Cloud Service Ecosystem that delivers IT services that are adaptable, reliable, auditable and sustainable both ecologically and economically.

Victor Muntés-Mulero,Oscar Ripolles,Smrati Gupta,Jacek Dominiak,Eric Willeke,Peter Matthews,Balázs Somosköi

DOI: https://doi.org/10.1049/iet-sen.2018.5295

2020-01-10

Abstract:Industry in all sectors is experiencing a profound digital transformation that puts software at the core of their businesses. In order to react to continuously changing user requirements and dynamic markets, companies need to build robust workflows that allow them to increase their agility in order to remain competitive. This increasingly rapid transformation, especially in domains like IoT or Cloud computing, poses significant challenges to guarantee high quality software, since dynamism and agile short-term planning reduce the ability to detect and manage risks. In this paper, we describe the main challenges related to managing risk in agile software development, building on the experience of more than 20 agile coaches operating continuously for 15 years with hundreds of teams in industries in all sectors. We also propose a framework to manage risks that considers those challenges and supports collaboration, agility, and continuous development. An implementation of that framework is then described in a tool that handles risks and mitigation actions associated with the development of multi-cloud applications. The methodology and the tool have been validated by a team of evaluators that were asked to consider its use in developing an urban smart mobility service and an airline flight scheduling system.

Software Engineering

Yukasa Murakami,Masateru Tsunoda,Eduardo C. Campos

DOI: https://doi.org/10.48550/arXiv.2209.03518

2022-09-08

Software Engineering

Abstract:In software project management, risk management is a critical factor. Project managers use existing lists of risk or perform brainstorming to identify the risks. However, it is not easy to perceive all the risks objectively. As a result, some risks are perceived based on subjective impression, which leads to risk biases. So, our goals are (i) We clarify the risk perception of developers to enhance the reliability of the brainstorming, and (ii) we calibrate the risk assessment based on a mathematical model to make more accurate risk list. In the analysis, we collected data concerning the risk perception of 69 professional software developers via a questionnaire. The average number of years of experience among these professionals was 18.3. Using the dataset, we applied factor analysis to clarify the factors that affect the evaluation of risk impact. The questionnaire was based on the risk perception theory established by Slovic, in which "dread" and "unknown" are the major factor of risk perception. The analysis result shows that (i) risk experience (i.e., whether a developer actually faced the risk or not) sometimes affects risk assessment (evaluation of risk impact), (ii) risk perception is considered to be based on unknown and dread factors, and (iii) risk assessment can be calibrated by a mathematical model (the average absolute error was 0.20).

Nikolaos Alexopoulos,Sheikh Mahbub Habib,Steffen Schulz,Max Mühlhäuser

DOI: https://doi.org/10.48550/arXiv.1801.05764

2018-01-17

Cryptography and Security

Abstract:Despite years of intensive research in the field of software vulnerabilities discovery, exploits are becoming ever more common. Consequently, it is more necessary than ever to choose software configurations that minimize systems' exposure surface to these threats. In order to support users in assessing the security risks induced by their software configurations and in making informed decisions, we introduce M-STAR, a Modular Software Trustworthiness ARchitecture and framework for probabilistically assessing the trustworthiness of software systems, based on evidence, such as their vulnerability history and source code properties. Integral to M-STAR is a software trustworthiness model, consistent with the concept of computational trust. Computational trust models are rooted in Bayesian probability and Dempster-Shafer Belief theory, offering mathematical soundness and expressiveness to our framework. To evaluate our framework, we instantiate M-STAR for Debian Linux packages, and investigate real-world deployment scenarios. In our experiments with real-world data, M-STAR could assess the relative trustworthiness of complete software configurations with an error of less than 10%. Due to its modular design, our proposed framework is agile, as it can incorporate future advances in the field of code analysis and vulnerability prediction. Our results point out that M-STAR can be a valuable tool for system administrators, regular users and developers, helping them assess and manage risks associated with their software configurations.

D. Sandhya rani,T. Varalakshmi,G. Hemanth kumar

DOI: https://doi.org/10.47392/irjaem.2024.0255

2024-05-31

Abstract:Despite significant efforts to ensure the success of software projects, the risk of failure remains high. Although these risks cannot be entirely eliminated, they can be effectively managed through proper risk management techniques throughout the software development lifecycle. This study aims to classify and identify the most effective risk management techniques using factor analysis. We surveyed software project managers, presenting them with thirty different risk management techniques, which they frequently used and deemed effective. We categorized these techniques into three main components: Planning and Requirement Techniques, Communication Techniques, and Models and Tools. The study's findings will be applied to a real-world software project to verify their effectiveness in mitigating risks. A novel multi-dimensional weighting approach is proposed to highlight the relationships between risks and actions, selecting best-fit profiles for both business and risk via an `if-the-shoe-fits' process, and determining precise mitigating actions through score tolerance bands. The successful identification and implementation of these techniques are expected to significantly improve the likelihood of mitigating risks in software projects.

David Kwan,Luiz Marcio Cysneiros,Julio Cesar Sampaio do Prado Leite

DOI: https://doi.org/10.48550/arXiv.2107.02959

2021-07-07

Computers and Society

Abstract:The ubiquitous presence of software in the products we use, together with Artificial Intelligence in these products, has led to an increasing need for consumer trust. Consumers often lose faith in products, and the lack of Trust propagates to the companies behind them. This is even more so in mission-critical systems such as autonomous vehicles and clinical support systems. This paper follows grounded theory principles to elicit knowledge related to Trust, Ethics, and Transparency. We approach these qualities as Non-Functional Requirements (NFRs), aiming to build catalogs to subsidize the construction of Socially Responsible Software. The corpus we have used was built on a selected collection of literature on Corporate Social Responsibility, with an emphasis on Business Ethics. Our challenge is how to encode the social perspective knowledge, mainly through the view of Corporate Social Responsibility, on how organizations or institutions achieve trustworthiness. Since our ground perspective is that of NFRs, results are presented by a catalogue of Trust as a Non-Functional Requirement, represented as a Softgoal Interdependency Graph (SIG). The SIG language helps software engineers in understanding alternatives they have to improve Trust in software products.

Yan Li,Ming Zhao,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1109/icebe.2008.80

2008-01-01

Abstract:As e-commerce always suffers from the uncertainty, cheats and attacks, concepts of trust and risk are brought in to enhance on-line business. Several models or frameworks for dealing with uncertainty and threats in cyberspace have been proposed in the literature, but few explicitly consider trust and risk as two separate factors that influence different aspects of on-line interactions independently. This paper presents a novel framework which considers trust and risk as two key dimensions to strengthen interactions in e-commerce. Moreover, a novel method of trust evaluation is proposed to represent confidence in the success of a transaction. And a new method of risk assessment is also presented to indicate impacts on assets and resources. Finally, simulation results also indicate that our framework is able to enhance interactions in e-commerce more powerfully, efficiently and rationally.

Xian-zhong ZHOU,Ji-zhou ZHAN,Meng LI,Jia-bao ZHAO,Ying-ying ZHU

2011-01-01

Abstract:How to ensure software trustworthiness is one of the hottest topics in the software engineering research at present. Three aspects on software distrust are studied from converse thinking. Based on the concept of software trustworthiness, the relationships among software distrust, failure, fault, defect and error are analyzed. Furthermore, the concept of distrustable factor is proposed originally. With the analysis of difference between distrustable factor and software risk factor, the basics and importance of distrustable factor are emphasized. The distrust chain of software is given, which is the extension of the classic failure chain. A new framework based on WBS-RBS is proposed to collect, identify and classify the distrustable factors. The reasonableness of the concept that proposed in the paper is verified by a case. It is specially pointed out that guaranteeing the software trustworthiness should focus on controlling and improving the original source-distrustable factor, instead of defect and fault.