A Lot Less Likely Than I Thought: Introducing Evidence-Based Security Risk Assessment for Healthcare Software

Electronic data

A Lot Less Likely Than I Thought
Accepted author manuscript, 1.53 MB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License

Keywords

Developer Centered Security, software teams, privacy, software developer, cybersecurity, intervention, workshop, Design Based Research, software security

View graph of relations

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review

E-pub ahead of print

Standard

A Lot Less Likely Than I Thought: Introducing Evidence-Based Security Risk Assessment for Healthcare Software. / Weir, Charles ; Dyson, Anna ; Prince, Daniel.
Proceedings of the 2023 IEEE Secure Development Conference (SecDev). IEEE, 2023.

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review

Harvard

Weir, C , Dyson, A & Prince, D 2023, A Lot Less Likely Than I Thought: Introducing Evidence-Based Security Risk Assessment for Healthcare Software. in Proceedings of the 2023 IEEE Secure Development Conference (SecDev). IEEE, IEEE Secure Development Conference 2023, Atlanta, GA, United States, 18/10/23.

Bibtex

@inproceedings{f788f1dfe63a4ba59a36c909aa8b3ac1,

title = "A Lot Less Likely Than I Thought: Introducing Evidence-Based Security Risk Assessment for Healthcare Software",

abstract = "Security and privacy are particularly important for health applications and health-related devices. So, it is vital that health software developers, especially in small to medium companies, devote their time and resources only to the security and privacy activities that will be most effective for them. Accordingly, this paper describes the creation and development of a facilitated workshop to help developers create risk assessments, using a structured series of activities based on a healthcare industry risk model. The authors found little publicly available information on risk probabilities, requiring our own calculations. The results of six workshop trials showed that cards with stories and probabilities promoted effective risk analysis, and that this was valuable to less experienced development teams. This workshop approach provides a powerful lightweight approach to calculating evidence-based security and privacy loss expectations, allowing better decision making to improve the security of the many healthcare software systems we all depend upon.",

keywords = "Developer Centered Security, software teams, privacy, software developer, cybersecurity, intervention, workshop, Design Based Research, software security",

author = "Charles Weir and Anna Dyson and Daniel Prince",

year = "2023",

month = sep,

day = "25",

language = "English",

booktitle = "Proceedings of the 2023 IEEE Secure Development Conference (SecDev)",

publisher = "IEEE",

note = "IEEE Secure Development Conference 2023, SecDev 2023 ; Conference date: 18-10-2023 Through 20-10-2023",

url = "https://secdev.ieee.org/2023/home",

}

RIS

TY - GEN

T1 - A Lot Less Likely Than I Thought: Introducing Evidence-Based Security Risk Assessment for Healthcare Software

AU - Weir, Charles

AU - Dyson, Anna

AU - Prince, Daniel

PY - 2023/9/25

Y1 - 2023/9/25

N2 - Security and privacy are particularly important for health applications and health-related devices. So, it is vital that health software developers, especially in small to medium companies, devote their time and resources only to the security and privacy activities that will be most effective for them. Accordingly, this paper describes the creation and development of a facilitated workshop to help developers create risk assessments, using a structured series of activities based on a healthcare industry risk model. The authors found little publicly available information on risk probabilities, requiring our own calculations. The results of six workshop trials showed that cards with stories and probabilities promoted effective risk analysis, and that this was valuable to less experienced development teams. This workshop approach provides a powerful lightweight approach to calculating evidence-based security and privacy loss expectations, allowing better decision making to improve the security of the many healthcare software systems we all depend upon.

AB - Security and privacy are particularly important for health applications and health-related devices. So, it is vital that health software developers, especially in small to medium companies, devote their time and resources only to the security and privacy activities that will be most effective for them. Accordingly, this paper describes the creation and development of a facilitated workshop to help developers create risk assessments, using a structured series of activities based on a healthcare industry risk model. The authors found little publicly available information on risk probabilities, requiring our own calculations. The results of six workshop trials showed that cards with stories and probabilities promoted effective risk analysis, and that this was valuable to less experienced development teams. This workshop approach provides a powerful lightweight approach to calculating evidence-based security and privacy loss expectations, allowing better decision making to improve the security of the many healthcare software systems we all depend upon.

KW - Developer Centered Security

KW - software teams

KW - privacy

KW - software developer

KW - cybersecurity

KW - intervention

KW - workshop

KW - Design Based Research

KW - software security

M3 - Conference contribution/Paper

BT - Proceedings of the 2023 IEEE Secure Development Conference (SecDev)

PB - IEEE

T2 - IEEE Secure Development Conference 2023

Y2 - 18 October 2023 through 20 October 2023

ER -

Research

Electronic data

Keywords