Susan Lincke | University of Wisconsin-Parkside (original) (raw)

Papers by Susan Lincke

2012 IEEE Sixth International Conference on Software Security and Reliability Companion, 2012

ABSTRACT Useful enhancements to UML for security exist, including for the requirements and analys... more ABSTRACT Useful enhancements to UML for security exist, including for the requirements and analysis/design stages: notably misuse case diagrams/descriptions, mis-sequence diagrams, UMLpac, and security patterns. These all consider security attacks on software functionality. This paper considers the system architecture when analyzing security. The advantage of the proposed misuse deployment diagram is that in distributed processing (e.g., client/server) where you put your defense software is as important as having it. This new diagram gives a bird's eye view of possible security attacks, and the security defenses or layers to mitigate them. This technique can be used in more than software development, since it may be used in audit, testing, security planning, and security education.

2007 37th annual frontiers in education conference - global engineering: knowledge without borders, opportunities without passports, 2007

ACM SIGCSE Bulletin, 2007

Security courses can focus on encryption/authentication algorithm design, attack/defend methodolo... more Security courses can focus on encryption/authentication algorithm design, attack/defend methodologies, or security techniques. Our goal is to train computer personnel in how to secure networks. What better way than to work with real equipment and real organizations? This course includes a community-based project which involves students auditing part of a syst for local organizations. Auditing is common in industry, and requires students to be well-versed in security techniques, the auditing process, and the application of results. This paper outlines our experiences in bringing community-based audit projects into the classroom.

2006 Wireless Telecommunications Symposium, 2006

ABSTRACT 4G will introduce additional wireless networks offering faster data services. Service ba... more ABSTRACT 4G will introduce additional wireless networks offering faster data services. Service balancing is a technique where traffic overflows between wireless networks in order to improve QoS goals in an automated way. Since speech and queued packet data form the predominant services of the future, this study evaluates two techniques of overflowing services between radio access networks. To ensure response time goals can be achieved, interactive services have a limited queue size that varies with the number of actively-transmitting sessions. An analytic model based upon the Gauss-Seidel Markov chain model is used to validate simulation results

40th Annual Simulation Symposium (ANSS'07), 2007

As wireless networks have become more complex with packet services and sophisticated modulation t... more As wireless networks have become more complex with packet services and sophisticated modulation techniques, validation using multidimensional Markov Chain models has become increasingly rare. Although Product Form models fail when queued packet services are introduced, iterative models (such as Gauss-Seidel) can be accurate. However, Gauss- Seidel is memory and processor intensive. This study considers whether probabilistic transitions can replace state

International Journal of Food Engineering

Research has demonstrated different carbon footprints, based on portion estimations. However, pre... more Research has demonstrated different carbon footprints, based on portion estimations. However, previous estimates are low and often omit the impact of food waste. For example, a high-level of daily meat consumption has been estimated at 100 g, which is less than a typical “quarter pounder” hamburger. We used the Organization for Economic Co-operation and Development (OECD) annual estimates of national retail availability, and applied a mathematical model to prorate other research results to determine a meat portion equal to current OECD statistics, and also projected the diets to 2500 and 3250 kcal, to include consumer and retail waste. Once prorated, the 14 national studies are contrasted and analyzed for reasonableness against OECD data pertaining to U.S., U.K., E.U., vegetarian and vegan diets. We quantify how previous studies underestimated greenhouse gas (GHG) emissions and show that previous GHG study results for the highest tier most accurately predict average national dietary...

2018 IEEE Technology and Engineering Management Conference (TEMSCON), 2018

This paper identifies and quantifies the risks of security breaches associated with Electronic He... more This paper identifies and quantifies the risks of security breaches associated with Electronic Health Record (EHR) in healthcare organizations. This study analyzes data from the Data Breach Disclosure Report published by US Department of Health and Human Services (HHS) to determine actual rates of types of breaches, the volume and the average cost of each type of breach. We also propose a procedure to derive rates of breach types and the calculation of SLE (Single Loss Expectancy) to quantify and assess the security risk associated with EHR.

This paper reviews 3 case studies related to network security. The first two exercises deal with ... more This paper reviews 3 case studies related to network security. The first two exercises deal with security planning, including classifying data and allocating controls. The third exercise requires more extensive TCP knowledge, since the exercise includes evaluating a computer power-up sequence … but with interesting results!

Communications and Networking Simulation (CNS 2019), 2019

Organizations are responsible for implementing due care, or controls for risk, by calculating the... more Organizations are responsible for implementing due care, or controls for risk, by calculating the likelihood multiplied by the impact for high-risk threats. Organizations cover their own risk expenditures and they do this independently. However, this may be myopic. We investigate a societal perspective by calculating risk via three models: an individual, organizational and societal view of security at a high level for two issues: ransomware and mobile privacy. For these two issues, we consider fault, responsibility, interdependency and ethics. By considering a more societal and interdependent solution, new or better solutions arise.

2020 13th CMI Conference on Cybersecurity and Privacy (CMI) - Digital Transformation - Potentials and Challenges(51275), 2020

There are standards, guidelines, and certifications for software security to help guide software ... more There are standards, guidelines, and certifications for software security to help guide software development projects into becoming more securely written to comply with any regulations that may apply to the project. These best practices and standards include Common Criteria, The Open Group Architecture Framework (TOGAF), Security Assurance Maturity Model (SAMM), Building Security In Maturity Model (BSIMM), Application Security Verification Standard (ASVS), OWASP, and SAFECode, in addition to the national or international standards groups, PCI, NIST and ISO/IEC. In this paper, we focus on secure software development by surveying and comparing these methods and standards and discover which areas of the software development life cycle SDLC, that one or more could be applied to improve the security of a software application during its development lifecycle.

Research has shown that the meat-based portion of diets has a most serious effect related to gree... more Research has shown that the meat-based portion of diets has a most serious effect related to greenhouse gases. Many studies rely on portion estimations, assuming a ‘high-level’ of daily meat consumption of 100 g and an average consumption of 2000 kcal. This meat estimate is less than one McDonalds quarter pounder. The Organization for Economic Co-Operation and Development (OECD) provides annual estimates of national meat consumption, where six nations average rank above the 200 g mark. We focus on EU and US, since there are both OECD data and dietary studies available for these higher-meat consumption nations. The OECD meat consumption for EU is at 189 g and US at 270 g daily. We prorate studies’ research to assume the meat portion is equal to the OECD statistics and also prorate to a higher dietary consumption level of 2400 kcal. We accomplish this by providing a mathematical model and example results for 8 studies. These are analyzed for reasonableness by observing the greenhouse ...

Journal of Risk Research, 2019

This paper considers the response of higher educational institutions to the risk posed by active ... more This paper considers the response of higher educational institutions to the risk posed by active shooters. Such response is founded on risk management frameworks that determine expenditures incurred to reduce risk. We examine the principles on which such risk management may be based and show that the annual expenditures made by institutions will vary, depending on ethical values and how broadly organizational risk is understood. We derive an ethical risk maturity model and compare results of a quantitative risk analysis for each ethical maturity level, factoring in the relevant controls at each level. We also analyse a scenario via a qualitative analysis and Sandman's outrage factor and evaluate several examples spent by various institutions within the framework of the model. We conclude that higher education would be well served to take a broad perspective of risk.

2016 4th International Symposium on Digital Forensic and Security (ISDFS), 2016

Traditional business and risk analysis is designed to protect the organization, and thus is self-... more Traditional business and risk analysis is designed to protect the organization, and thus is self-focused. Ethics is concerned with appropriate behavior towards the `other'. Is risk management ethical if it protects itself (the organization) but may leave its customers, neighbors, society and/or our environment in distress? This paper evaluates ethical and risk management papers from business, engineering and IT against a proposed ethical maturity model for the risk management process, defined towards an ideal. It also proposes an enhanced quantitative risk analysis method to implement a higher ethical level, by considering the `other'.

Proceedings of the 16th Annual Conference on Information Technology Education - SIGITE '15, 2015

A longitudinal walkthrough case study can teach students skills to develop a system of security w... more A longitudinal walkthrough case study can teach students skills to develop a system of security with a big picture view. This security teaching case study helps students plan organizational security, develop secure software requirements, and prevent fraud. The case study uses a doctor's office that must adhere to HIPAA as a foundation for student problem-based learning. We have taught the course with and without service learning, with undergraduate and graduate students, with foreign, American, computer science and business students. As part of our assessment, we evaluated students' perceptions and learning effectiveness. This paper addresses the improvements made and lessons learned through assessment of this longitudinal teaching case study.

Proceedings of the 13th annual conference on Information technology education - SIGITE '12, 2012

Existing Markov modeling tools include high level Petri nets and process algebras, or low level s... more Existing Markov modeling tools include high level Petri nets and process algebras, or low level statistical packages with programmed or form matrices. However, we and other modelers often describe our work in Markov Chain state space format. With the rising popularity of graphical tools, a graphical Markov Chain state space modeler makes sense to simplify development of these models. However, as networks become large and complex, the graphical tool must implement large state spaces quickly, by allowing the modeler to specify patterns for state and transition generation. Our graphic multidimensional Markov Chain modeler implements the Gauss-Seidel solution. It enables modelers to design state spaces graphically, eliminating programming and associated debugging. This tool can be used by programmers and non-programmers alike to speed up research efforts of all types, and can also be used as a training tool for probability or simulation courses teaching modeling. As an example applicati...

Security is becoming required knowledge for software engineers. Building security into the produc... more Security is becoming required knowledge for software engineers. Building security into the product means that security must be considered during the requirements and throughout the software development process. This workshop considers how UML can be enhanced for security, including through misuse cases, business process diagrams, class diagrams, mis-sequence diagrams, and misuse deployment diagrams. The OCTAVE process to analyze risk is also introduced.

Security Planning, 2015

Executive level management is responsible for strategic business goals (including for IT/security... more Executive level management is responsible for strategic business goals (including for IT/security), managing risk, defining policies for the organization, and for staffing security. The previous two chapters addressed risk, including the chapter on Business Impact Analysis. This chapter addresses the remaining executive management responsibilities: strategic planning, policy, and maturity models.

Security Planning, 2015

Compliance means that the organization and its actors adhere to applicable regulation and organiz... more Compliance means that the organization and its actors adhere to applicable regulation and organizational policy and standards. Auditors are professional evaluators who test for compliance and/or that certain objectives are met. Therefore, understanding audit techniques professionalize testing, whether it is done for test or audit purposes.

Security Planning, 2015

The Internet allows an attacker to attack from anywhere in the world from their home desk. They j... more The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability, while a security analyst needs to close every vulnerability. If that sounds nearly impossible to defend, then implement defense in depth, which requires an attacker to penetrate multiple layers of security to succeed.

2012 IEEE Sixth International Conference on Software Security and Reliability Companion, 2012

ABSTRACT Useful enhancements to UML for security exist, including for the requirements and analys... more ABSTRACT Useful enhancements to UML for security exist, including for the requirements and analysis/design stages: notably misuse case diagrams/descriptions, mis-sequence diagrams, UMLpac, and security patterns. These all consider security attacks on software functionality. This paper considers the system architecture when analyzing security. The advantage of the proposed misuse deployment diagram is that in distributed processing (e.g., client/server) where you put your defense software is as important as having it. This new diagram gives a bird's eye view of possible security attacks, and the security defenses or layers to mitigate them. This technique can be used in more than software development, since it may be used in audit, testing, security planning, and security education.

2007 37th annual frontiers in education conference - global engineering: knowledge without borders, opportunities without passports, 2007

ACM SIGCSE Bulletin, 2007

Security courses can focus on encryption/authentication algorithm design, attack/defend methodolo... more Security courses can focus on encryption/authentication algorithm design, attack/defend methodologies, or security techniques. Our goal is to train computer personnel in how to secure networks. What better way than to work with real equipment and real organizations? This course includes a community-based project which involves students auditing part of a syst for local organizations. Auditing is common in industry, and requires students to be well-versed in security techniques, the auditing process, and the application of results. This paper outlines our experiences in bringing community-based audit projects into the classroom.

2006 Wireless Telecommunications Symposium, 2006

ABSTRACT 4G will introduce additional wireless networks offering faster data services. Service ba... more ABSTRACT 4G will introduce additional wireless networks offering faster data services. Service balancing is a technique where traffic overflows between wireless networks in order to improve QoS goals in an automated way. Since speech and queued packet data form the predominant services of the future, this study evaluates two techniques of overflowing services between radio access networks. To ensure response time goals can be achieved, interactive services have a limited queue size that varies with the number of actively-transmitting sessions. An analytic model based upon the Gauss-Seidel Markov chain model is used to validate simulation results

40th Annual Simulation Symposium (ANSS'07), 2007

As wireless networks have become more complex with packet services and sophisticated modulation t... more As wireless networks have become more complex with packet services and sophisticated modulation techniques, validation using multidimensional Markov Chain models has become increasingly rare. Although Product Form models fail when queued packet services are introduced, iterative models (such as Gauss-Seidel) can be accurate. However, Gauss- Seidel is memory and processor intensive. This study considers whether probabilistic transitions can replace state

International Journal of Food Engineering

Research has demonstrated different carbon footprints, based on portion estimations. However, pre... more Research has demonstrated different carbon footprints, based on portion estimations. However, previous estimates are low and often omit the impact of food waste. For example, a high-level of daily meat consumption has been estimated at 100 g, which is less than a typical “quarter pounder” hamburger. We used the Organization for Economic Co-operation and Development (OECD) annual estimates of national retail availability, and applied a mathematical model to prorate other research results to determine a meat portion equal to current OECD statistics, and also projected the diets to 2500 and 3250 kcal, to include consumer and retail waste. Once prorated, the 14 national studies are contrasted and analyzed for reasonableness against OECD data pertaining to U.S., U.K., E.U., vegetarian and vegan diets. We quantify how previous studies underestimated greenhouse gas (GHG) emissions and show that previous GHG study results for the highest tier most accurately predict average national dietary...

2018 IEEE Technology and Engineering Management Conference (TEMSCON), 2018

This paper identifies and quantifies the risks of security breaches associated with Electronic He... more This paper identifies and quantifies the risks of security breaches associated with Electronic Health Record (EHR) in healthcare organizations. This study analyzes data from the Data Breach Disclosure Report published by US Department of Health and Human Services (HHS) to determine actual rates of types of breaches, the volume and the average cost of each type of breach. We also propose a procedure to derive rates of breach types and the calculation of SLE (Single Loss Expectancy) to quantify and assess the security risk associated with EHR.

This paper reviews 3 case studies related to network security. The first two exercises deal with ... more This paper reviews 3 case studies related to network security. The first two exercises deal with security planning, including classifying data and allocating controls. The third exercise requires more extensive TCP knowledge, since the exercise includes evaluating a computer power-up sequence … but with interesting results!

Communications and Networking Simulation (CNS 2019), 2019

Organizations are responsible for implementing due care, or controls for risk, by calculating the... more Organizations are responsible for implementing due care, or controls for risk, by calculating the likelihood multiplied by the impact for high-risk threats. Organizations cover their own risk expenditures and they do this independently. However, this may be myopic. We investigate a societal perspective by calculating risk via three models: an individual, organizational and societal view of security at a high level for two issues: ransomware and mobile privacy. For these two issues, we consider fault, responsibility, interdependency and ethics. By considering a more societal and interdependent solution, new or better solutions arise.

2020 13th CMI Conference on Cybersecurity and Privacy (CMI) - Digital Transformation - Potentials and Challenges(51275), 2020

There are standards, guidelines, and certifications for software security to help guide software ... more There are standards, guidelines, and certifications for software security to help guide software development projects into becoming more securely written to comply with any regulations that may apply to the project. These best practices and standards include Common Criteria, The Open Group Architecture Framework (TOGAF), Security Assurance Maturity Model (SAMM), Building Security In Maturity Model (BSIMM), Application Security Verification Standard (ASVS), OWASP, and SAFECode, in addition to the national or international standards groups, PCI, NIST and ISO/IEC. In this paper, we focus on secure software development by surveying and comparing these methods and standards and discover which areas of the software development life cycle SDLC, that one or more could be applied to improve the security of a software application during its development lifecycle.

Research has shown that the meat-based portion of diets has a most serious effect related to gree... more Research has shown that the meat-based portion of diets has a most serious effect related to greenhouse gases. Many studies rely on portion estimations, assuming a ‘high-level’ of daily meat consumption of 100 g and an average consumption of 2000 kcal. This meat estimate is less than one McDonalds quarter pounder. The Organization for Economic Co-Operation and Development (OECD) provides annual estimates of national meat consumption, where six nations average rank above the 200 g mark. We focus on EU and US, since there are both OECD data and dietary studies available for these higher-meat consumption nations. The OECD meat consumption for EU is at 189 g and US at 270 g daily. We prorate studies’ research to assume the meat portion is equal to the OECD statistics and also prorate to a higher dietary consumption level of 2400 kcal. We accomplish this by providing a mathematical model and example results for 8 studies. These are analyzed for reasonableness by observing the greenhouse ...

Journal of Risk Research, 2019

This paper considers the response of higher educational institutions to the risk posed by active ... more This paper considers the response of higher educational institutions to the risk posed by active shooters. Such response is founded on risk management frameworks that determine expenditures incurred to reduce risk. We examine the principles on which such risk management may be based and show that the annual expenditures made by institutions will vary, depending on ethical values and how broadly organizational risk is understood. We derive an ethical risk maturity model and compare results of a quantitative risk analysis for each ethical maturity level, factoring in the relevant controls at each level. We also analyse a scenario via a qualitative analysis and Sandman's outrage factor and evaluate several examples spent by various institutions within the framework of the model. We conclude that higher education would be well served to take a broad perspective of risk.

2016 4th International Symposium on Digital Forensic and Security (ISDFS), 2016

Traditional business and risk analysis is designed to protect the organization, and thus is self-... more Traditional business and risk analysis is designed to protect the organization, and thus is self-focused. Ethics is concerned with appropriate behavior towards the `other'. Is risk management ethical if it protects itself (the organization) but may leave its customers, neighbors, society and/or our environment in distress? This paper evaluates ethical and risk management papers from business, engineering and IT against a proposed ethical maturity model for the risk management process, defined towards an ideal. It also proposes an enhanced quantitative risk analysis method to implement a higher ethical level, by considering the `other'.

Proceedings of the 16th Annual Conference on Information Technology Education - SIGITE '15, 2015

A longitudinal walkthrough case study can teach students skills to develop a system of security w... more A longitudinal walkthrough case study can teach students skills to develop a system of security with a big picture view. This security teaching case study helps students plan organizational security, develop secure software requirements, and prevent fraud. The case study uses a doctor's office that must adhere to HIPAA as a foundation for student problem-based learning. We have taught the course with and without service learning, with undergraduate and graduate students, with foreign, American, computer science and business students. As part of our assessment, we evaluated students' perceptions and learning effectiveness. This paper addresses the improvements made and lessons learned through assessment of this longitudinal teaching case study.

Proceedings of the 13th annual conference on Information technology education - SIGITE '12, 2012

Existing Markov modeling tools include high level Petri nets and process algebras, or low level s... more Existing Markov modeling tools include high level Petri nets and process algebras, or low level statistical packages with programmed or form matrices. However, we and other modelers often describe our work in Markov Chain state space format. With the rising popularity of graphical tools, a graphical Markov Chain state space modeler makes sense to simplify development of these models. However, as networks become large and complex, the graphical tool must implement large state spaces quickly, by allowing the modeler to specify patterns for state and transition generation. Our graphic multidimensional Markov Chain modeler implements the Gauss-Seidel solution. It enables modelers to design state spaces graphically, eliminating programming and associated debugging. This tool can be used by programmers and non-programmers alike to speed up research efforts of all types, and can also be used as a training tool for probability or simulation courses teaching modeling. As an example applicati...

Security is becoming required knowledge for software engineers. Building security into the produc... more Security is becoming required knowledge for software engineers. Building security into the product means that security must be considered during the requirements and throughout the software development process. This workshop considers how UML can be enhanced for security, including through misuse cases, business process diagrams, class diagrams, mis-sequence diagrams, and misuse deployment diagrams. The OCTAVE process to analyze risk is also introduced.

Security Planning, 2015

Executive level management is responsible for strategic business goals (including for IT/security... more Executive level management is responsible for strategic business goals (including for IT/security), managing risk, defining policies for the organization, and for staffing security. The previous two chapters addressed risk, including the chapter on Business Impact Analysis. This chapter addresses the remaining executive management responsibilities: strategic planning, policy, and maturity models.

Security Planning, 2015

Compliance means that the organization and its actors adhere to applicable regulation and organiz... more Compliance means that the organization and its actors adhere to applicable regulation and organizational policy and standards. Auditors are professional evaluators who test for compliance and/or that certain objectives are met. Therefore, understanding audit techniques professionalize testing, whether it is done for test or audit purposes.

Security Planning, 2015

The Internet allows an attacker to attack from anywhere in the world from their home desk. They j... more The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability, while a security analyst needs to close every vulnerability. If that sounds nearly impossible to defend, then implement defense in depth, which requires an attacker to penetrate multiple layers of security to succeed.