Home > Research > Publications & Outputs > A Lot Less Likely Than I Thought: Introducing E...

Electronic data

  • A Lot Less Likely Than I Thought

    Accepted author manuscript, 1.53 MB, PDF document

    Available under license: CC BY: Creative Commons Attribution 4.0 International License

View graph of relations

A Lot Less Likely Than I Thought: Introducing Evidence-Based Security Risk Assessment for Healthcare Software

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

E-pub ahead of print
Publication date25/09/2023
Host publicationProceedings of the 2023 IEEE Secure Development Conference (SecDev)
PublisherIEEE
<mark>Original language</mark>English
EventIEEE Secure Development Conference 2023 - Atlanta, GA, United States
Duration: 18/10/202320/10/2023
https://secdev.ieee.org/2023/home

Conference

ConferenceIEEE Secure Development Conference 2023
Abbreviated titleSecDev 2023
Country/TerritoryUnited States
CityAtlanta, GA
Period18/10/2320/10/23
Internet address

Conference

ConferenceIEEE Secure Development Conference 2023
Abbreviated titleSecDev 2023
Country/TerritoryUnited States
CityAtlanta, GA
Period18/10/2320/10/23
Internet address

Abstract

Security and privacy are particularly important for health applications and health-related devices. So, it is vital that health software developers, especially in small to medium companies, devote their time and resources only to the security and privacy activities that will be most effective for them. Accordingly, this paper describes the creation and development of a facilitated workshop to help developers create risk assessments, using a structured series of activities based on a healthcare industry risk model. The authors found little publicly available information on risk probabilities, requiring our own calculations. The results of six workshop trials showed that cards with stories and probabilities promoted effective risk analysis, and that this was valuable to less experienced development teams. This workshop approach provides a powerful lightweight approach to calculating evidence-based security and privacy loss expectations, allowing better decision making to improve the security of the many healthcare software systems we all depend upon.