Ronda Henning - Academia.edu (original) (raw)
Papers by Ronda Henning
IEEE Security & Privacy Magazine, 2009
International Conference on Enterprise Information Systems, 2005
Information Systems today rarely are contained within a single user workstation, server, or netwo... more Information Systems today rarely are contained within a single user workstation, server, or networked environment. Data can be transparently accessed from any location, and maintained across various network infrastructures. Cloud computing paradigms commoditize the hardware and software environments and allow an enterprise to lease computing resources by the hour, minute, or number of instances required to complete a processing task. An access control policy mediates access requests between authorized users of an information system and the system's resources. Access control policies are defined at any given level of abstraction, such as the file, directory, system, or network, and can be instantiated in layers of increasing (or decreasing) abstraction. For the system end-user, the functional allocation of security policy to discrete system components, or subsystems, may be too complex for comprehension. In this dissertation, the concept of a metapolicy, or policy that governs ex...
A system security policy is subject to considerable interpretation. What to the end user may be a... more A system security policy is subject to considerable interpretation. What to the end user may be a perfectly reasonable access control policy may be impossible to architect into an enforceable policy implementation. The earlier such policy disconnect can be found, the less severe the impact on the system design, cost, and schedule. This paper discusses the use of computational narrative, or computer-assisted storytelling, as a method for eliciting the access control policy associated with a given information system. Similarities in the structure between computational narration and access control models are presented, as are attempts to apply computational narration in similar domains. Finally, a research project is proposed to determine the feasibility of computational narration as an access control modeling technique.
A system security policy is often perceived as a set of mandatory requirements levied upon the sy... more A system security policy is often perceived as a set of mandatory requirements levied upon the system by an organizational directive or Information System Security Officer (ISSO). To the user, these security requirements may bear little resemblance to his actual working system security policy, which controls data modification and user privileges. In the course of reengineering business processes and
: For the past two years, Harris Corporation has been conducting research for the U.S. Air Force ... more : For the past two years, Harris Corporation has been conducting research for the U.S. Air Force Research Laboratory under the Network Vulnerability Tool (NVT) Study. The Network Vulnerability Tool concept develops and applies a single topological system model. This model supports the information needs of multiple vulnerability analysis tools using an integrated knowledge solicitation and translation framework. As part of this effort, vulnerability tools from COTS, GOTS, and research laboratory sources were surveyed, and a representative sample tool collection was selected for inclusion in the NVT prototype. The prototype integrates and interactively applies multiple existing vulnerability assessment technologies, resulting in a cohesive, combined vulnerability/risk assessment. The combined risk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in the definition of an acceptable risk posture for an operational system or preliminary system d...
36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the
Proceedings of the 1999 workshop on New security paradigms - NSPW '99
Security analysis of networked computing systems continues to present a challenge. The growing co... more Security analysis of networked computing systems continues to present a challenge. The growing complexity of network and computing systems, the increasing sophistication of computer attacks, and the limited supply of security specialist make automated security solutions a necessity. A number of independent solutions are often suggested for a system and then implemented as independent sensors. Little work has been done in fusing sensor outputs in a meaningful way in order to recognize an attack in progress in time to mitigate its impact.
Proceedings of the Seventh International Conference on Enterprise Information Systems
2003 Symposium on Applications and the Internet Workshops, 2003. Proceedings.
This paper is constructed on the premise that human belief dependent emotions can be triggered by... more This paper is constructed on the premise that human belief dependent emotions can be triggered by story-telling or narratives. With recent technological advancements to measure neurobiological measurements of the brain, such as functional magnetic resonance imaging (fMRI) and non-invasive brain computing interface (BCI) equipment, these technologies can allow for visualization and data collection of brain activation patterns showing unconsciously controlled responses to narratives or stories. Current game theory application to belief networks has been modeled to help explain observed behavior when material payoffs of others matters to the individual. We discuss a method of how game theory, utilizing communication packet theory, can now be modeled to belief dependent emotions and intentions measured through a new biometric tool correlating neurobiological emotional states and responses.
For the past two years, Harris Corporation has been conducting research for the U.S. Air Force Re... more For the past two years, Harris Corporation has been conducting research for the U.S. Air Force Research Laboratory under the Network Vulnerability Tool (NVT) Study. The Network Vulnerability Tool concept develops and applies a single topological system model. This model supports the information needs of multiple vulnerability analysis tools using an integrated knowledge solicitation and translation framework. As part of this effort, vulnerability tools from COTS, GOTS, and research laboratory sources were surveyed, and a representative sample tool collection was selected for inclusion in the NVT prototype. The prototype integrates and interactively applies multiple existing vulnerability assessment technologies, resulting in a cohesive, combined vulnerability/risk assessment. The combined risk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in the definition of an acceptable risk posture for an operational system or preliminary system ...
hen a natural disaster strikes, a corporation normally places a disaster recovery plan into effec... more hen a natural disaster strikes, a corporation normally places a disaster recovery plan into effect. These plans define how a corporate knowledge base is reconstituted after a catastrophic failure, allowing an enterprise to continue its daily functions. However, natural disasters are relatively rare occurrences. A corporation that leases space at a site hosting facility and purchases disruption insurance has allocated assets in advance, with potentially no return on those investments if a disaster does not occur [1]. In this regard, disaster recovery is like insurance. With the ubiquity of the Internet, it has become more difficult to disrupt services for an extended period of time. Consumers expect 24-hour service or they take their Internet shopping elsewhere. Global enterprises now link what were isolated data centers to Enterprise Resource Planning systems to manage inventory and track consumer preferences. There is no downtime allowed in today's global economy. Enter the con...
IEEE Security & Privacy Magazine, 2009
International Conference on Enterprise Information Systems, 2005
Information Systems today rarely are contained within a single user workstation, server, or netwo... more Information Systems today rarely are contained within a single user workstation, server, or networked environment. Data can be transparently accessed from any location, and maintained across various network infrastructures. Cloud computing paradigms commoditize the hardware and software environments and allow an enterprise to lease computing resources by the hour, minute, or number of instances required to complete a processing task. An access control policy mediates access requests between authorized users of an information system and the system's resources. Access control policies are defined at any given level of abstraction, such as the file, directory, system, or network, and can be instantiated in layers of increasing (or decreasing) abstraction. For the system end-user, the functional allocation of security policy to discrete system components, or subsystems, may be too complex for comprehension. In this dissertation, the concept of a metapolicy, or policy that governs ex...
A system security policy is subject to considerable interpretation. What to the end user may be a... more A system security policy is subject to considerable interpretation. What to the end user may be a perfectly reasonable access control policy may be impossible to architect into an enforceable policy implementation. The earlier such policy disconnect can be found, the less severe the impact on the system design, cost, and schedule. This paper discusses the use of computational narrative, or computer-assisted storytelling, as a method for eliciting the access control policy associated with a given information system. Similarities in the structure between computational narration and access control models are presented, as are attempts to apply computational narration in similar domains. Finally, a research project is proposed to determine the feasibility of computational narration as an access control modeling technique.
A system security policy is often perceived as a set of mandatory requirements levied upon the sy... more A system security policy is often perceived as a set of mandatory requirements levied upon the system by an organizational directive or Information System Security Officer (ISSO). To the user, these security requirements may bear little resemblance to his actual working system security policy, which controls data modification and user privileges. In the course of reengineering business processes and
: For the past two years, Harris Corporation has been conducting research for the U.S. Air Force ... more : For the past two years, Harris Corporation has been conducting research for the U.S. Air Force Research Laboratory under the Network Vulnerability Tool (NVT) Study. The Network Vulnerability Tool concept develops and applies a single topological system model. This model supports the information needs of multiple vulnerability analysis tools using an integrated knowledge solicitation and translation framework. As part of this effort, vulnerability tools from COTS, GOTS, and research laboratory sources were surveyed, and a representative sample tool collection was selected for inclusion in the NVT prototype. The prototype integrates and interactively applies multiple existing vulnerability assessment technologies, resulting in a cohesive, combined vulnerability/risk assessment. The combined risk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in the definition of an acceptable risk posture for an operational system or preliminary system d...
36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the
Proceedings of the 1999 workshop on New security paradigms - NSPW '99
Security analysis of networked computing systems continues to present a challenge. The growing co... more Security analysis of networked computing systems continues to present a challenge. The growing complexity of network and computing systems, the increasing sophistication of computer attacks, and the limited supply of security specialist make automated security solutions a necessity. A number of independent solutions are often suggested for a system and then implemented as independent sensors. Little work has been done in fusing sensor outputs in a meaningful way in order to recognize an attack in progress in time to mitigate its impact.
Proceedings of the Seventh International Conference on Enterprise Information Systems
2003 Symposium on Applications and the Internet Workshops, 2003. Proceedings.
This paper is constructed on the premise that human belief dependent emotions can be triggered by... more This paper is constructed on the premise that human belief dependent emotions can be triggered by story-telling or narratives. With recent technological advancements to measure neurobiological measurements of the brain, such as functional magnetic resonance imaging (fMRI) and non-invasive brain computing interface (BCI) equipment, these technologies can allow for visualization and data collection of brain activation patterns showing unconsciously controlled responses to narratives or stories. Current game theory application to belief networks has been modeled to help explain observed behavior when material payoffs of others matters to the individual. We discuss a method of how game theory, utilizing communication packet theory, can now be modeled to belief dependent emotions and intentions measured through a new biometric tool correlating neurobiological emotional states and responses.
For the past two years, Harris Corporation has been conducting research for the U.S. Air Force Re... more For the past two years, Harris Corporation has been conducting research for the U.S. Air Force Research Laboratory under the Network Vulnerability Tool (NVT) Study. The Network Vulnerability Tool concept develops and applies a single topological system model. This model supports the information needs of multiple vulnerability analysis tools using an integrated knowledge solicitation and translation framework. As part of this effort, vulnerability tools from COTS, GOTS, and research laboratory sources were surveyed, and a representative sample tool collection was selected for inclusion in the NVT prototype. The prototype integrates and interactively applies multiple existing vulnerability assessment technologies, resulting in a cohesive, combined vulnerability/risk assessment. The combined risk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in the definition of an acceptable risk posture for an operational system or preliminary system ...
hen a natural disaster strikes, a corporation normally places a disaster recovery plan into effec... more hen a natural disaster strikes, a corporation normally places a disaster recovery plan into effect. These plans define how a corporate knowledge base is reconstituted after a catastrophic failure, allowing an enterprise to continue its daily functions. However, natural disasters are relatively rare occurrences. A corporation that leases space at a site hosting facility and purchases disruption insurance has allocated assets in advance, with potentially no return on those investments if a disaster does not occur [1]. In this regard, disaster recovery is like insurance. With the ubiquity of the Internet, it has become more difficult to disrupt services for an extended period of time. Consumers expect 24-hour service or they take their Internet shopping elsewhere. Global enterprises now link what were isolated data centers to Enterprise Resource Planning systems to manage inventory and track consumer preferences. There is no downtime allowed in today's global economy. Enter the con...