IEEE Technology and Society Magazine - Winter 2014 - 79

extension of the CORAS methodology for risk assessment [19].
Threat scenarios depict with a
level of probability how threats can
cause incidents by means of exploiting existing vulnerabilities. Incidents have negative consequences
on assets owned by stakeholders
with a level of severity, for example, the result of a leak of presence
information may trigger a privacy
violation. The result risk calculation of a threat scenario is done
considering the probability versus
the severity of the negative consequences caused by the resulting
incidents. One threat scenario may
enable other contained threat scenarios to happen, given that additional vulnerabilities are present.
Citizen/users can maintain a history
of incidents and exchange information with respect to occurrence of
threat scenarios enabling empirical
statistical analysis of risks.
Threats, assets, and vulnerabilities are associated with the system
elements defined in the collection of
SecKit metamodels and are not specified in isolation. This association
provides traceability of risks, supports structured analysis, and allows
more concrete countermeasures
to be adopted. Each citizen/user
may decide to adopt the indicated
countermeasures if the risk level is
above a certain personal threshold.
In SecKit we associate the countermeasures with a set of rule templates
that can be deployed and enforced to
detect and react or prevent the threat
scenario from happening.
Fig. 4 shows an example risk
model where the threat scenarios
are analyzed and the countermeasures are identified. In this example a threat scenario is specified
for an IoT device in a smart home
that allows external entities deliberate access to information, and
as a consequence, these entities
can infer if the home owner is at
home or not. This threat scenario
enables a second threat scenario
where thieves rob the smart home
when the owner is not at home. One

possible countermeasure to mitigate the enabling threat scenario
is to instantiate a security policy
rule template that control external
access to the IoT device. This is
a policy template specified in the
ECA format that can be deployed
and enforced. More abstract countermeasures can also be specified,
for example, to deploy an effective
alarm system that prevents thieves
from robbing the citizens' home.

Future Developments
The adoption of SecKit as a common
abstract platform to enable trust and
privacy has many advantages from
a citizen's perspective. It allows the
collaboration between citizens with a
precise definition of trust beliefs and
trust management approaches. Observations about trust can be exchanged
together with the management policy
rule templates adopted, explicitly

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

making the semantics and interpretation of these trust values easier. It also
enables a community-driven privacy
support that can be updated on a regular basis with support not only from
the citizens' peers via social networks
but also from privacy protection organizations that actively work on risk
assessment and specification of possible countermeasures.
Technical solutions embedded by
design in the systems and the creation
of places for individuals to control and
shape their own choices in design, can
represent a step forward in achieving
a higher level of trust. Trust, however,
does not entirely depend on the effective control of the system. Indeed,
trust can be maintained and nurtured
even when the complexities of linkages is so high that the system can
only notify and raise awareness that
a critical threshold of uncertainty has
been reached.

Fig.3. Trust management policy rule templates.

Fig.4. Risk model.

WINTER 2014

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - Winter 2014