Accepted author manuscript, 1.53 MB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - A Lot Less Likely Than I Thought: Introducing Evidence-Based Security Risk Assessment for Healthcare Software
AU - Weir, Charles
AU - Dyson, Anna
AU - Prince, Daniel
PY - 2023/9/25
Y1 - 2023/9/25
N2 - Security and privacy are particularly important for health applications and health-related devices. So, it is vital that health software developers, especially in small to medium companies, devote their time and resources only to the security and privacy activities that will be most effective for them. Accordingly, this paper describes the creation and development of a facilitated workshop to help developers create risk assessments, using a structured series of activities based on a healthcare industry risk model. The authors found little publicly available information on risk probabilities, requiring our own calculations. The results of six workshop trials showed that cards with stories and probabilities promoted effective risk analysis, and that this was valuable to less experienced development teams. This workshop approach provides a powerful lightweight approach to calculating evidence-based security and privacy loss expectations, allowing better decision making to improve the security of the many healthcare software systems we all depend upon.
AB - Security and privacy are particularly important for health applications and health-related devices. So, it is vital that health software developers, especially in small to medium companies, devote their time and resources only to the security and privacy activities that will be most effective for them. Accordingly, this paper describes the creation and development of a facilitated workshop to help developers create risk assessments, using a structured series of activities based on a healthcare industry risk model. The authors found little publicly available information on risk probabilities, requiring our own calculations. The results of six workshop trials showed that cards with stories and probabilities promoted effective risk analysis, and that this was valuable to less experienced development teams. This workshop approach provides a powerful lightweight approach to calculating evidence-based security and privacy loss expectations, allowing better decision making to improve the security of the many healthcare software systems we all depend upon.
KW - Developer Centered Security
KW - software teams
KW - privacy
KW - software developer
KW - cybersecurity
KW - intervention
KW - workshop
KW - Design Based Research
KW - software security
M3 - Conference contribution/Paper
BT - Proceedings of the 2023 IEEE Secure Development Conference (SecDev)
PB - IEEE
T2 - IEEE Secure Development Conference 2023
Y2 - 18 October 2023 through 20 October 2023
ER -