Privacy-Enhancing Trust Infrastructure for Process ...

1 downloads 7693 Views 893KB Size Report
personal predictive IT risk management by process mining with the block chain technology and ..... where sign is a digital signature function. Siand Mi are added ...
SCIS 2017 2017 Symposium on Cryptography and Information Security Naha, Japan, Jan. 24-27, 2017 The Institute of Electronics, Information and Communication Engineers

Copyright© 2017 The Institute of Electronics, Information and Communication Engineers

Privacy-Enhancing Trust Infrastructure for Process Mining Sven Wohlgemuth *

Kazuo Takaragi †

Abstract: Threats to a society and its social infrastructure are inevitable and endanger human life and welfare. Resilience is a core concept to cope with such threats in strengthening risk management in spite of incidents of any kind. This paper discusses the secondary use of personal information as a key element in such conditions and the relevant process mining. It realizes a completeness in an acceptable manner to mitigate a usability problem by secondary use of personal information. Even though, acceptable soundness is still realized in our scheme for a fundamental privacy-enhancing trust infrastructure. Our work approaches the Ground Truth for a personal predictive IT risk management by process mining with the block chain technology and privacy-enhancing mechanisms. Keywords: Resilience, Risk Management, Safety, Accountability, Reliable Broadcast, Open Data

1

communication technology (IT). Some explicitly stipulate the use of an information security management system (ISMS) as a prerequisite to provide IT services for resilience, e.g., for the critical infrastructure energy [6]. As an approach, resilience originally means the adaptive capacity of a system to prevent it from failure by achieving a state of equilibrium in spite of incidents of any kind [21]. For IT risk management, resilience is on achieving a state of optimal usage of IT risk control as an equilibrium of economic investments in security [15]. Recent technological developments of IT and their usage for Service Computing allows resilience by providing adaptive personalized IT services and their continuous development for changing workflows under real-time conditions [33]. The innovation of Service Computing is a scalable data-centric service to predict and response to vulnerabilities and incidents of any kind by focusing on specific data relevant to such environment. Aggregation of personal data stimulates innovation on knowledge creation on IT risks for prediction by secondary use of personal data. Any user of a data-centric service acts in the role of both service consumer/service provider as well as data provider/data consumer. The critical activity is information exchange on IT risks in the physical and cyber environments with

Introduction

At Great Hanshin Earthquake occurred in Kansai area, Japan in1995, it was shown that sharing of personal information was very important to maintain the health and property of people who were affected by the disaster. Those were biometric authentication information, medical records, passbook, and so on. People of the city hall, which corresponded to support, were strongly in need of obtaining such personal information timely. However, it did not go so well. It led to extreme exhaustion of the staff and delay of improving the situation. Similar problems have occurred at the Great East Japan Earthquake in 2011 and the 2016 Kumamoto Earthquake [24, 25]. In general, threats to a society and its social infrastructure endanger human life and welfare directly and indirectly. Resilience is a core concept for a society to cope with such threats in strengthening risk management in spite of incidents of any kind. The ultimate aim is a sustainable society. Resilience is both goal and approach. As a goal, regulations aim at resilience for, e.g., finance, data protection, and cybersecurity by using information and

* Austr. 5, 71665 Vaihingen an der Enz, Germany † National Institute of Advanced Industrial Science and Technology (AIST), Annex, 2-3-26 Aomi, Koto-ku, Tokyo 135-0064, Japan

1

always changing dependencies. The key challenge to be solved for IT support for resilience is paradoxically inflexibility of acceptable information security according to any user’s personal security policy as required, e.g., for IT Governance. Figure 1 illustrates the information flow m odel of data-centric services [31, 34].

user-centric privacy-enhancing identity management and reliable broadcast, which need to be built on the balance of soundness and completeness where the equilibrium may change. Section 2 describes the main challenges and our approach. Section 3 motivates completeness by showing conceptual deficiencies of soundness for resilience. This results to section 4 in introducing the concept of personalized service for privacy. Section 5 introduces its cryptographic building blocks to provide a sound infrastructure for completeness. Section 6 investigates on state-of-the-art. The discussion in section 7 concludes on the contribution of our work with privacy as enabler and gives an outlook.

Fig. 1. Information flow of a data-centric service The problem of information security with information exchange is safety in predicting whether a non-authorized access on information will take place [20]. State-of-the-art of information flow control [38] mainly considers soundness. Soundness aims to enforce one aspect of safety on information flow in general by an IT service. If a personalized IT service enforces one security policy, then this enforcement holds for all of it workflows. This contradicts with resilience, since it considers neither any user’s personal security policy nor safety for any secondary use of personal information: Security still follows technology as it operates. With the aim of improving IT support for resilience, our approach is completeness on safety of information processing for IT risk management. Acceptable completeness derives a statement on preventing false positive as opposite to soundness which requires preventing false negative on enforcing a given security policy by a given workflow. There often occurs trade-off between them especially in contingency time. Actually, this completeness necessitates a proper and prompt way of ruling of informational self-determination for privacy. A proper ruling of informational self-determination for privacy is an enabler of IT support for resilience. To provide reliable safe information for IT risk management, we introduce a universal privacy-enhancing trust infrastructure. Each user checks enforcement of a personal privacy policy, which results not only in a reliable safe information data base on IT risks but also in new knowledge for IT risk controls and their usage. This infrastructure is based on usage control by a secondary use of personal security-related information as Open Data in a pseudonymized manner. The basic IT security services are

2

Main Challenges and Basic Ideas

Conventionally and presumably in future, when secondary use of personal information should be carried out, a data controller plays an important role. For example, it is a government (Fig. 2).

Fig. 2 Transparency by Open Data and block chain It approves an access to that secondary use of personal information within a limited condition. Usually from this point of time, the owner of the personal information loses control over his or her information. If the data controller is perfect, it may be good for emergency. But usually it is sometimes not the case and a large damage to personal information may occur in the sense of a privacy breach. This first main challenge for improving usable security is known as the safety problem of access control. The special case of type-safety access control permits secondary use of personal data in a very limited manner. That limitation has caused too much loss of health, property, and so on. The second main challenge is to provide information on accountability to the data controller in a timely manner by which the data controller can properly judge on granting permission for secondary use of personal information. Ideally for the perfect judgement, it is desirable to gain all the states of artifacts, natural products, all memory states of the computer, the human condition, and so on. In general, perfect accountability is not possible. Every state in 2

real world, that is Ground Truth, can only be observed with degradation of authenticity. The first basic idea for improvement is secure delegation of rights. Some part of personal information is anonymized and sometimes subjected to a treatment with artificial intelligence, then sent to the data controller (Fig. 3). Some privacy-enhancing techniques are used in this process. Thus, it will enable a fast and rational judgement by the data controller. The second basic idea for improvement is to provide a means that any user does not lose control on his own data even after secondary use of personal information has been carried out. For this, it is important to let any user know the related authentic data provenance in the absence of perfect participants. This third main challenge is reliable broadcast. We are developing a mechanism using block chain where users can obtain the provenance of anonymous data without mandatory trusting a central authority. Using privacy-enhancing technologies, we realize conditional agreement for safety, information accountability, and reliable broadcast. By referring to the data of a block chain as Open Data, we obtain an effect of being able to verify compliance through the process [49].

policy. Phase (d) is then on monitoring the use of IT risk controls and their effects on the identified IT risks both within the model and the physical environment. The result is then used to enhance the model. When problems are incubated by newly revealed IT security vulnerabilities and incidents, there often arises a requirement for a secondary use of the information of these models to identify dependencies and options for improvement as new knowledge. This is an additional application of process mining [30]. Concerning information security, the goal is to get a proof on safety of information flows, which should be enforced by Trusted Computing [38]. A proof on information security shows whether an IT service fulfills properties on safety as prohibiting non-desired states while at the same time allowing adaptivity of information processing for resilience. The latter property for any desired states in the future is known as liveness [8]. The present concept for safety is language-based security [38], which is based on access control. The goal is soundness in that vulnerabilities and incidents should be prevented: If a security model enforces a security policy, it enforces this security policy for all structures and instances of this model. For information flow control, a proof shows an isomorphism between the information flow graph [16] and this given security policy. In general, however, safety with access control is not decidable [20]; it is decidable in the limited aspect of type-safety [37]. Language-based security enforces a security policy by making use of type-safety, reference monitor, certifying compiler, and their combination [38]. Language-based security requires transparency. All information flows must be known for the reference monitor and the certifying compiler, respectively. A reference monitor then re-writes vulnerable code into safe one; a certifying compiler proves whether the code as the target of evaluation satisfies the requested safety properties of the given security policy. The result is a safe IT service. Let’s assume safety of all IT services including data-centric services. Enforcement of type-safety for an information flow between safe IT services remains, i.e., preventing a man-in-the-middle attack. This is the goal of cryptography, whereas the challenge faced is in general safe exchange of cryptographic keys [10]. Cryptography usually assumes a trusted third party. A trusted third party is, however, difficult to ideally realize, since it is threatened due to its inevitable dependencies on information flow with different IT services and users requiring different level of soundness and

Fig. 3 Processing Ground Truth with PKI and marketplace

3

From Soundness to Completeness

IT risk management is an iterative process with the four phases (a) identification, (b) quantification, (c) control, and (d) monitoring [15]. Regarding social infrastructure, phases (a) and (b) are abstracted from a given physical environment by deriving a threat model. This threat model is on expected probability and expected loss of known IT security vulnerabilities and incidents. It needs to take the dependencies among identified objects into account, which inevitably exist in Service Computing [33] due to shared use of data and information. Phase (c) establishes the security model on the use of IT risk controls in accordance to any user’s personal security 3

completeness [48]. Figure 4 illustrates the problem. The classification of Internet users in Germany shows, for instance, different interests in responsibility for security while using personalized IT services for different purposes. The majority wants to delegate this responsibility to a third party while showing differences in trust assumptions [11]. Decision-makers demand delegation of responsibility in parts to the users [12]. These differences require support of personal security policies on processing of personal data and personal risk preferences in this multilateral security setting. Actually, this refers to privacy as informational self-determination [36, 50]. Regarding enforcement of privacy policies, completeness has a higher priority than soundness. If a workflow satisfies completeness, then it enforces an information flow according to a certain policy. In addition, a proof of knowledge for completeness accepts errors, whereas soundness is not an essential property [2]. The basic privacy-enhancing trust infrastructure, however, needs to acceptably satisfy soundness for the witness values as Ground Truth for a proof on completeness on the enforcement of a policy for a given information exchange.

data provider. Both proofs together enable use of Service Computing, i.e., secondary use of personal data, for critical services as personal IT risk management. A participant unifies this multilateral security setting in a balance of security and privacy [35] by oneself. A mutual proof makes use of the same information on safety. This information is a witness, which is used by the knowledge extractor of the proof system. The target is specified by the privacy policy of its users. The current information flow is represented by the data provenance of this information between IT services. It shows known dependencies of the information flow. The proof results in a privacy evidence [36] as knowledge on accountability of information [45]. Hence, the required witness is on authorization, accountability, and authentication, which, in turn, makes a witness of personal information processing. The use of this personal security-related information is primary and secondary. Its primary use is ex post policy enforcement of information processing for IT risk management on already existing and available knowledge. Its secondary use is ex ante for IT risk management by deriving knowledge for identification, quantification, and monitoring of previously unknown risks, and for control activities with new IT risk controls and plans for using them. Ex ante activities require decidable and formalizable authorization for any access on data, which should take place in the future without conflicting safety. Revocation is required in case a mutual trusted exchange changes. Obligations must be available for any knowledge extractor. Hence, such personal information on safety needs to be reliably broadcasted as Open Data. Their formalization shows that not all obligations are observable but can become so during run-time [35]. Compensation complements observation of obligations. Compensations are enforceable actions, which can take place before access has been granted and after an incident and its accountability has been detected. Our proof system utilizes the concept of ISMS as defined by [4, 22] for protecting the assets of one’s own workflow, IT systems, personal data as well as entrusted information, and one’s own reputation (Fig. 5). Since vulnerabilities and incidents are inevitable and not all obligations are observable, integrity and compliance is inevitably threatened by information leakage. Yet, the proof itself as well as the witness values needs to follow minimal privacy principles on confidentiality. Our proof system follows minimal

Fig. 4 Problem for resilience: Loss of control

4

Privacy as a Personalized Service

The proof system provides the service for distinguishing trustworthy participants from untrustworthy in the sense of acceptable safety. In a proof system for completeness with error probabilities, the participants are at least prover and verifier [16]. For the proof system, the representation of a participant is an interactive function, e.g., a workflow, computable by a Turing Machine, i.e., an IT service. It is assumed that the prover is scalable in computing resources. Since a proof is a distributed algorithm, the proof system requires additionally a scheduler for reliable message distribution [27]. The role of a participant depends on his role in the information exchange. A data provider acts as a prover in showing the authenticity of the corresponding information to the data consumer as a verifier. A data provider derives knowledge whether the data consumer will use this information according to the expected privacy policy. A data consumer acts complementary to the 4

principles of Privacy by Design. They relate to privacy-enhancing user-centric identity management. This requires the proof to be acceptable zero-knowledge for the two parties prover and verifier [18] and the witnesses to be acceptably accountable while at the same time being non-linkable in regards to several workflows of each party [7]. Privacy requires a data-centric service for improving safety of any users, i.e., support for resilience. This is in principle informational self-determination as a personalized service. With the support of a data-centric service, it seems to be a hen and egg situation. However, cryptography provides mathematically sound primitives for acceptable safe IT security services as buildings blocks.

personal information, AAA need to be enhanced in order to detect anomalies in an information flow and their origin [45]. A first design of the core software library for this AAA(A) is shown in [46]. Privacy-enhancing authentication implements a user’s identity based on a cryptographic key and related attribute-based credentials. Biometrics is used for the direct mapping between a human being and his cryptographic key and credentials in a secure manner [41, 51] for a public biometric infrastructure. Privacy-enhancing authorization for distributed IT systems is based on certified attributes to a cryptographic public key of the requesting identity. Access is enforced by the data providing identity [3]. Private-attribute based credentials, however, don’t consider safe information exchange via a third party. If using them for this purpose, users lose control on their identity due to the all-or-nothing transferability property in order to achieve safety in authorization by discouraging users from sharing. Secure delegation of rights [39] enhances trust management for usage control and revocation. It requires a public digital directory for certifying an authorization. Privacy-enhancing accountability generates a statement on incidents on a given isolation. Secure logging collects and logs system events of a separate IT system on internal information processing while at the same time allowing non-linkability by cryptographic based access control on identity-related log views [1]. Higher cryptographic protocols document the data provenance of information exchange between identities. This cryptographically created data provenance is then used for an audit on safety. It re-constructs the graph on the actual information flow. Knowledge on information flow is then derived by the data provenance, while identities remain non-linkable towards a third party. Soundness and completeness of the first design are shown in [47]. Reliable broadcast with imperfect users is possible in the asynchronous communication model. It provides an acceptable consensus on safety, i.e., acceptable soundness of a broadcast, if weakening the requirements on consistency or partition-tolerance [17]. Acceptable soundness is satisfiable by the cryptographic block chain system [32]. A block chain realizes a statistically sound third party by self-organization of imperfect users, but is vulnerable to partition-tolerance. Consistency might be tolerated if the personal risk thresholds of its users are compensated. A block represents state transitions on an information exchange regarding AAA between a

Fig. 5 Plan-Do-Check-Act (Personal IT risk management)

5

Cryptographic Building Blocks

The mathematical security model for the fundamental information exchange of cryptography is on trust evaluation of a public key infrastructure according to any user. The Ground Truth is a whole set of the given user’s knowledges to be used in the authentication during this PKI. It contains authentic cryptographic keys, public key certificates, and belief as trust in other’s certification as well as in recommendations on trust [28]. This model allows a statistical logic evaluation of several certification paths for the same key, i.e., several sources of information and their aggregation, in order to increase user’s confidence. For privacy, the target of evaluation is the information to be exchanged. Certificates relate to statements on authorization on usage, data provenance, and trust on safety of the partners of this exchange. Recommendations relate to benchmarking on reputation on safety. These statements are assigned to the electronic identity to be deposited in a safe manner as digital representation of users and IT services. To provide safe information for accounting, the AAA Authorization Framework [44] standardizes the trust infrastructure of the Internet. For secondary use of 5

data provider and data consumer. State transitions are proven and documented by a user in the role of a successful miner following the proof-of-work of the block chain. A successful miner takes the role of a certifier and is therefore accountable for this proof-of-work. As compensation for taking this burden of accountability, the successful miner gets reward for the new block and a transaction fee from the data provider. As a compensation, a data consumer pays a financial value to the data provider, e.g., coin or profit sharing on further processing of this information. In return, the data consumer gets a verifiable statement on the authentication of this data from the data provider and block chains. Figure 6 illustrates the place of block chain where the authorization and data provenance reside. It is a means to manage data on personally identifiable information (PII) with a block chain. To protect privacy, PII itself is not recorded in the block chain but rights on its usage. It is a way to manage only the information flow to those entities qualified by either the data owner or the data controller. An example outline is as follows: Firstly, a sender Pi generates an authorization Ai for a PII di. Ai includes the public key, which is a pseudonymized name of the next receiver. If di is a large amount of data that plays an important role as PII, e.g., image by surveillance camera, di may include a digital watermark to identify the sender and receiver in case of violation [47]. If di is a short PII text such as "The diagnostic image shows that he has a risk of heart attack," it is not the case for the digital watermarking. In this case, secure logging is used. Secondly, the sender Pi generates Mi=h(di)‖Ai ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ (1) where h is a hash function and ‖ means concatenation of data. A block chain is a set of Bi's such that Bi=h(Bi-1‖Mi), i=1, ..., n ・・・・・・・・・・・・・・・・・・・・・ (2) where B0 is an initial value. Any change of the message Mi will cause the change of Bi and thereafter until i=n. Each block Bi is signed by a sender Pi to obtain Si. Si=sign(Bi) ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ (3) where sign is a digital signature function. Si and Mi are added on the list of the provenance. di is sent to the receiver through a secure communication channel. The transferred data, i.e., the PII and its provenance can be far more unforgeable in case of code break, e.g., such as expected by advances on

quantum computing. It is realized by an undeniable evidence of data provenance using a hysteresis of data exchange [40]. In it, some trusted entity, e.g., a newspaper company, generates an additional block, Mi=h(di ')‖Ai' ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ (4) where di ' is any other data. Then it is inserted to the chain. The additional signature Bi=h(Bi-1‖Mi) ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ (5) S'=sign(Bi) ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ (6) will become an alibi which can be a kind of evidence as a historical fact retained in its archive.

Fig. 6 Privacy-enhancing AAA(A) by reliable broadcast

6

Related Work

For a reliable digital single market with an acceptable level of security, the European Commission stipulates a trust infrastructure for electronic identification and trust services by the regulation eIDAS 910/2014 [14]. It should facilitate implementation of principles of Privacy by Design. It addresses private-public use of national electronic identity management systems, interoperability, certificates, trust services and requirements for their providers, trust lists, electronic time stamp, long-time preservation, and cryptographic primitives. eIDAS should also be used for resilience of international healthcare. It considers IT risk management with a duty for trust services to report security breaches and security risk assessments to supervisory bodies, national registration authority, and data protection authority. Origin of incidents should be detected for personal accountability. Our work can be a candidate for realizing eIDAS in accordance to personal security requirements of any user. ISO 27001 and BSI-Standard 100 ISMSs aim at satisfying compliance and information security for, e.g., critical infrastructures. ISO 27001 is based on IT risk management [22] and supports continuous improvement of a system by its Plan-Do-Check-Act process for IT risk management [23]. BSI-Standard 100-1 adapts ISO 27001 [4]. It differs in the concept. Whereas ISO 27001 allows stepwise refinement with completeness and considers IT risks from the 6

Trust Management”, IEEE Symposium on Security and Privacy 1996, IEEE, 164-173, 1996. [4] BSI, “BSI-Standard 100-1 Information Security Management Systems (ISMS) Version 1.5”, 2008. [5] BSI, “BSI-Standard 100-2 IT-Grundschutz Methodology Version 2.0“, 2008. [6] Bundesnetzagentur, “IT-Sicherheitskatalog gemäß Absatz 1a Energiewirtschaftsgesetz”, 2015. [7] Chaum, D., “Security Without Identification: Transaction Systems to Make Big Brother Obsolete”, CACM, 28(10), 1030-1044, 1985. [8] Clarkson, M.R., Schneider, F.B., “Hyperproperties“, Journal of Computer Security, 18, IOS Press, 1157-1210, 2010. [9] Diffie, W., “Information security: 50 years behind, 50 years ahead”, CACM, 51(1), 55-57, 2008. [10] Diffie, W., Hellman, M.E., “New Directions in Cryptography”, IEEE Transactions on Information Theory, 22(6), 644-654, 1976. [11] DIVSI, “DIVSI Milieu Study on Trust and Security on the Internet”, 2012. [12] DIVSI, “DIVSI Decision-Maker Study on Trust and Security on the Internet”, 2013. [13] European Commission, “A Digital Agenda for Europe”, 2010. [14] European Commission, “Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC”, Official Journal of the European Union, L 257, 73-114, 2014. [15] Faisst, U., Prokein, O., “An Optimization Model for the Management of Security Risks in Banking Companies”, CEC' 05, IEEE, 266-273, 2005. [16] Furer, M., Goldreich, O., Mansour, Y., Sipser, M., Stathis, Z., “On Completeness and Soundness in Interactive Proof Systems”, Advances in Computing Research: A Research Annual, 5, 429-442, 1989. [17] Gilbert, S., Lynch, N., “Brewer's Conjecture and the Feasibility of Consistent, Available, Partition-tolerant Web Services”, SIGACT News, 33(2), 51-59, 2002. [18] Goldwasser, S., Micali, S., Racko, C., “The knowledge complexity of interactive proof systems”, SIAM Journal on Computing, 18(1), 186-208, 1989. [19] Grzebiela, T., “Insurability of Electronic Commerce Risks”, 35th HICSS, IEEE, 2002. [20] Harrison, M.A., Ruzzo, W.L., Ullman, J.D., “Protection in Operating Systems”, CACM, 19(8), 461-471, 1976. [21] Holling, C.S., “Resilience and Stability of Ecological Systems”, Annual Review of Ecology and

beginning, BSI-Standard 100-2 [5] focuses on soundness. It aims to get a complete net plan of the IT service.

7

Options for IT Risk Controls

A Digital Agenda for Europe of the European Horizon 2020 strategy [13] and the Japanese Information Security Strategy [42, 43] promote wide application of the principles of Privacy by Design and appropriate use of privacy protection technology. Our privacy-enhanced trust infrastructure follows Privacy by Design for personal predictive IT risk management based on privacy-enhancing identity management. In addition to technical IT risk controls on security and privacy, non-technical controls such as regulations should protect anonymized personal information in any case to complement accountability for safety. Our privacy-enhancing AAA service allows non-technical IT risk controls. The documented cause-and-effect relationships on vulnerabilities and incidents provide those data base on accountability, which absence is considered as main reason for missing IT risk controls on confidentiality and accountability [19]. Missing IT risk controls for risk diversification are considered as the main lack for information security in Service Computing [9]. Our work contributes to adequate IT risk controls, e.g., benchmarking [26] while ensuring privacy [29]. At the beginning of this work, means for information security did not exist for Service Computing. The approach for safety was soundness, which implies that security follows technology. For increasing the availability of personal data and information for resilience, privacy is often seen as a hurdle or already outdated. By our work, we show the opposite. Not privacy is a hurdle for resilience, but security as understood with soundness. Privacy is the enabler for acceptable predictive IT risk management as IT support for resilience. We look forward to realizing such IT risk management for creating a sustainable society by the example of Smart Cities.

References [1] Accorsi, R., “A secure log architecture to support remote auditing”, Mathematical and Computer Modelling, 57, 1578-1591, 2013. [2] Bellare, M., Goldreich, O., “On Defining Proofs of Knowledge”, CRYPTO' 92, LNCS 740, Springer, 390-420, 1993. [3] Blaze, M., Feigenbaum, J., Lacy, J., “Decentralized 7

Systematics, 4, 1-23, 1973. [22] ISO/IEC, “27001(E) Information technology Security techniques Information security management systems – Requirements”, 2013. [23] ISO/IEC, “27005 Information technology Security techniques - Information security risk management”, 2011. [24] Japan Automatic Identification Systems Association, “Research and development of victim support system using biometrics authentication”, 2015. [25] Japan Ministry of Internal Affairs and Communications, “Toward strengthening disaster medical and relief activities by ICT”, 2016. [26] Kerschbaum, F., “Secure and Sustainable Benchmarking in Clouds”, Business & Information Systems Engineering, 3(3), 135-143, 2011. [27] Lynch, N., “Distributed Algorithms”, TBS, 1996. [28] Maurer, U., “Modelling a Public-Key Infrastructure”, ESORICS '96, LNCS 1146, Springer, 325-350, 1996. [29] Minami, K., Lee, A.J., Winslett, M., Borisov, N., “Secure aggregation in a publish-subscribe system”, WPES'08, ACM, 95-104, 2009. [30] Müller, G., Accorsi, R., “Why are Business Processes Not Secure?”, Buchmann Festschrift, LNCS 8260, Springer, 240-254, 2013. [31] Müller, G., Flender, C., Peters, M., “Characterization of E-Commerce”, Buchmann, J. editor, Internet Privacy - Options for adequate realisation, acatech STUDY, 43-60, 2013. [32] Nakamoto, S., “Bitcoin A Peer-to-Peer Electronic Cash System”, 2008. [33] O'Reilly, T., “What is Web 2.0: Design Patterns and Business Models for the Next Generation of Software”, Communications & Strategies, 65, 17-37, 2007. [34] Pretschner, A., Hilty, M., Basin, D., “Distributed usage control”, CACM, 49(9), 39-44, 2006. [35] Rannenberg, K., Pfitzmann, A., Müller, G., “IT Security and Multilateral Security”, Multilateral Security in Communications – Technology, Infrastructure, Economy, Addison-Wesley-Longman, 21-29, 1999. [36] Sackmann, S., Strüker, J., Accorsi, R., “Personalization in privacy-aware highly dynamic systems”, CACM, 49(9), 32-38, 2006. [37] Sandhu, R., “The Typed Access Matrix Model”, IEEE Symposium on Security and Privacy 1992, IEEE, 122-136, 1992. [38] Schneider, F.B., Morrisett, G., Harper, R., “A

Language-Based Approach to Security”, Informatics 10 Years Back, 10 Years Ahead, LNCS 2000, Springer, 86-101, 2001. [39] Sonehara, N., Echizen, I., Wohlgemuth, S., “Isolation in Cloud Computing and Privacy-Enhancing Technologies”, Business & Information Systems Engineering, 3(3),155-162, 2011. [40] Susaki, S., Miyazaki, K., Takaragi, K. and Matsumoto, T., “Alibi Establishment for Electronic Signatures: How to prove that you did not make the electronic signature in question even when the base cryptosystem was collapsed Part 2. Concrete Schemes and Evaluation”, SIG Technical Reports, 2000-30(1999-DPS-097), 19-24, 2000. [41] Takahashi, K., Matsuda, T., Murakami, T., Hanaoka, G., Nishigaki, M., “A Signature Scheme with a Fuzzy Private Key”, Applied Cryptography and Network Security, 13th International Conference, ACNS 2015, LNCS 9092, Springer, 105-126, 2015. [42] The Government of Japan, “Cybersecurity Strategy”, 2015. [43] The Government of Japan, “Information security R & D strategy (revised edition)”, 2014. [44] Vollbrecht, J., Calhoun, P., Farrell, S., Gommens, L., Gross, G., de Brujin, B., de Laat, C., Holdrege, M., Spence, D., “AAA Authorization Framework”, RfC 2904, IETF, 2000. [45] Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J., “Information Accountability“, CACM, 51(6), 82-87, 2008. [46] Wohlgemuth, S., “Resilience by Usable Security”, Mensch und Computer, 2015. [47] Wohlgemuth, S., Echizen, I., Sonehara, N., Müller, G., “Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy”, IFIP SEC 2010, IFIP 330, Springer, 241-252, 2010. [48] Wohlgemuth, S., Sackmann, S., Sonehara, N., Tjoa, AM., “Security and privacy in business networking”, Electronic Markets, 24(2), 81-88, 2014. [49] Wohlgemuth, S., Takaragi, K., “A Toolset for Usable Security with ICT Service Networks”, The 11th International Workshop on Security (IWSEC), 2016. [50] Wohlgemuth, S., Takaragi, K., Echizen, I., “Privacy with Secondary Use of Personal Information”, MKWI Research-in-Progress & Poster-Beiträge, 2016. [51] Yamada, A., “A Generalization of ISO/IEC 24761 to Enhance Remote Authentication with Trusted Product at Claimant”, ICT Systems Security and Privacy Protection, 455, Springer, 145-168, 2015. 8