Logo des Repositoriums

Auflistung nach Autor:in "Kurowski, Sebastian"

1 - 10 von 12
  • Textdokument
    Anonymization Is Dead – Long Live Privacy
    (Open Identity Summit 2019, 2019) Zibuschka, Jan; Kurowski, Sebastian; Roßnagel, Heiko; Schunck, Christian H.; Zimmermann, Christian
    Privacy is a multi-faceted, interdisciplinary concept, with varying meaning to different people and disciplines. To most researchers, anonymity ist he “holy grail” of privacy research, as it suggests that it may be possible to avoid personal information altogether. However, time and time again, anonymization has been shown to be infeasible. Even de-facto anonymity is hardly achievable using state-of-the-art cryptographic anonymization techniques. Furthermore, as there are inherent tensions between the privacy protection goals of confidentiality, availability, integrity, transparency, intervenability and unlinkability, failed attempts to achieve full anonymization may make it impossible to provide data-subjects with transparency and intervenability. This is highly problematic as such mechanisms are required by regulation such as the General Data Protection Regulation (GDPR). Therefore, we argue for a paradigm shift away from anonymization towards transparency, accountability, and intervenability.
  • Konferenzbeitrag
    Economic issues of federated identity management - an estimation of the costs of identity lifecycle management in inter-organisational information exchange using transaction cost theory
    (Open Identity Summit 2015, 2015) Kurowski, Sebastian
    Inter-organisational data-exchange is common in inter-organisational value-chains. Currently information providing organizations enrol users of suppliers, in order to enable them to access their services and information. This leaves some users with the issue of handling multiple credentials, introducing risks of password-reuse [Iv04] and weak-passwords [Ne94]. Federated identity management eases this scenario, by enabling users to authenticate against their organizations' identity provider [Hü10]. However, the costs involved in managing the underlying identity and rights lifecycle have hardly been considered. This paper addresses this gap, by using the principal-agent theory, and transaction cost theory, structuring the identity lifecycle using [BS08] [IS05] [IS10], and estimating the management costs. We finally analyse the economic benefits of federated identity management in inter-organisational information exchange. We find that while process costs for executing the identity lifecycle are reduced for the information provider, by introducing federated identity management, the control costs reduce, and in one case even diminish this cost benefit. We briefly discuss our findings, and conclude that further mechanisms and research is required to reduce the efforts in auditing, in order to fully unlock the security and economic benefits of federated identity management.
  • Textdokument
    An explorative approach on the impact of external and organizational events on information security
    (Open Identity Summit 2017, 2017) Ajazaj, Ilirjana; Kurowski, Sebastian
    This contribution aims at the research question on which observable organizational events occur prior to an information security incident, and how these may relate to the organization. It therefore uses a dataset that was built using Google News, and the list of data breaches from [Mc17] to analyse which organizational events occur most often. It provides a categorization of these events, which were built by using a grounded theory approach. On the other hand, causal chains are constructed by sing the sociologic system theory and constructivism. Both, the causal chains and the organizational event categories are applied together within this contribution to discuss, the likelihood of the causalities of the occurred events. However, events, such as financial gains also exhibit a higher occurrence prior to an information security incident. This contribution is a speculative, yet first approach on this question. Further research will focus on refining the constructed causalities.
  • Textdokument
    A meta-heuristic for access control test data creation in access control model testing
    (Open Identity Summit 2017, 2017) Winterstetter, Matthias; Kurowski, Sebastian
    User to Document Access data is in most cases protected and as such difficult to acquire for research purposes. This work seeks to circumvent this problem by creating research data on the basis of reference processes through the evolutionary Algorithm. Data created through this method, while not as accurate as real data, still has it’s foundation in reality through the reference process and can as such be used as a replacement.
  • Konferenzbeitrag
    On the diffusion of security behaviours
    (Open Identity Summit 2020, 2020) Kurowski, Sebastian; Roßnagel, Heiko
    Security behaviour has been researched from a variety of theoretical lenses, however a clear picture on the factors that foster secure behaviour is still missing. This contribution uses the diffusion of innovations theory and applies it to four exemplary security behaviours to identify how it can explain the uptake of each behaviour. In contrast to many other approaches, it focuses on the behaviour itself, not the behaving individual. We are able to show differences in the uptake of idealized security behaviours. A perceived relative advantage positively impacts the uptake of a behaviour, however this advantage seems rarely to be motivated by a perceived risk. Risk only seems to play a minor role for the diffusion of security behaviours. Additionally, the relative advantage does not seem to be a necessity for the diffusion of a behaviour. If the other properties namely compatibility, triability, observability, and low complexity of a behaviour are adequately fulfilled a successful diffusion is still possible.
  • Konferenzbeitrag
    On the possible impact of security technology design on policy adherent user behavior - Results from a controlled empirical experiment
    (SICHERHEIT 2018, 2018) Kurowski, Sebastian; Fähnrich, Nicolas; Roßnagel, Heiko
    This contribution provides results from a controlled experiment on policy compliance in work environments with restrictive security technologies. The experimental setting involved subjects forming groups and required them to solve complex and creative tasks for virtual customers under increasing time pressure, while frustration and work impediment of the used security technology were measured. All subjects were briefed regarding existing security policies in the experiment setting, and the consequences of violating these policies, as well as the consequences for late delivery or failure to meet the quality criteria of the virtual customer. Policy breaches were observed late in the experiment, when time pressure was peaking. Subjects not only indicated maximum frustration, but also a strong and significant correlation (.765, p<.01) with work impediment caused by the security technology. This could indicate that user-centred design does not only contribute to the acceptance of a security technology, but may also be able to positively influence practical information security as a whole.
  • Textdokument
    Response and Cultural Biases in Information Security Policy Compliance Research
    (Open Identity Summit 2017, 2017) Kurowski, Sebastian; Dietrich, Fabina
    This contribution tries to shed light on whether current information security policy compliance research is affected by response (such as social desirability) or cultural biases. Based upon the hypothesis that response biases may be subject to information processing of the questionnaire item by the respondent, a classification of questionnaire items of 17 surveys is provided. Furthermore, the Individualism and Power Distance indices are gathered for the survey samples. Correlation analysis reveals that the Power Distance index correlates negatively, while Individualism correlates positively with the mean self-reported policy compliance. These findings support previous findings on the role of Power Distance and contradict the influence of response and social desirability biases on self-reported information security policy compliance.
  • Konferenzbeitrag
    Risk variance: Towards a definition of varying outcomes of IT security risk assessment
    (Open Identity Summit 2022, 2022) Kurowski, Sebastian; Schunck, Christian H.
    Assessing IT-security risks in order to achieve adequate and efficient protection measures has become the core idea of various industry practices and regulatory frameworks in the last five years. Some research however suggests that the practice of assessing IT security risks may be subject to varying outcomes depending on personal, situational and contextual factors. In this contribution we first provide a definition of risk variance as the variation of risk assessment outcomes due to individual traits, the processual environment, the domain of the assessor, and possibly the target of the assessed risk. We then present the outcome of an interview series with 9 decision makers from different companies that aimed at discussing whether risk variance is an issue in their risk assessment procedures. Finally, we elaborate on the generalizability of the concept of risk variance, despite the low sample size in light of varying risk assessment procedures discussed in the interviews. We find that risk variance could be a general problem of current risk assessment procedures.
  • Konferenzbeitrag
    Risk-centred role engineering within identity data audits - continuous improvement of the rights structure and possible risk accumulations
    (2016) Kurowski, Sebastian
    Success and costs of audits in identity management largely depend on the structure of the underlying access control model. Auditing access rights includes the determination of actuality and adequacy of provided access rights. In order to ease audit and administration of access rights, role mining approaches have provided several solutions for identifying a minimal set of roles based upon either existing usage data, or business data. However, these approaches have focused on homogeneous, static environments. When facing dynamic, heterogeneous environments, such as infrastructure administration or smart systems, the accompanied noise of access rights provisioning hinder the determination of adequacy and actuality of access rights. With application of static approaches, accumulation of access risks at users may arise due to inadequate access rights, or aggregation of access roles. These issues are however mostly neglected by current approaches. Within this contribution we propose a method based upon the design structure matrix approach, which enables the identification of role aggregations, and examination of access risk accumulation within aggregated roles, and their assigned users throughout continuous audits of the access control model.
  • Textdokument
    Unified Data Model for Tuple-Based Trust Scheme Publication
    (Open Identity Summit 2019, 2019) Wagner, Sven; Kurowski, Sebastian; Roßnagel, Heiko
    Trust schemes are widely used by authorities to support verifiers of electronic transactions to determine the trustworthiness of relying parties. With a tuple-based publication, in addition to the trust scheme membership, the requirements of the trust scheme are published. For this, the development and publication of a unified data model derived from existing trust schemes (e.g. eIDAS) is needed, where each requirement is explicitly represented by one tuple. The consolidation and development of this data model, which is based on nine existing trust schemes, is presented along with possible applications and added value (e.g. improved mapping of trust schemes) in the field of trust verification. The data model includes the three abstract concepts Credential, Identity, and Attributes and in total 98 concepts, which can be added to standard trust lists using ETSI TS 119 612.