Karyda Maria
Professor

mka@aegean.gr

22730 82266

Information Systems Security Management


 

Dr Maria Karyda holds a PhD in Information Systems Security Management, a M.Sc. in Information Systems and a B.Sc. in Informatics from the Athens University of Economics and Business, Greece. She is currently an Associate Professor, Director of the Information and Communication Systems Security Laboratory and Director of the MSc in Information and Communication Systems Postgraduate Program, of the Department of Information and Communication Systems Engineering, University of the Aegean, Greece. Her research interests lie in the fields of information security management, awareness and culture, and privacy protection.

She has offered several guest lecturers in the area of information security management to education institutes, including the Ionian University, the International University of Greece, the University of Piraeus, and to international summer schools. She has also collaborated as a security expert and consultant with several organisations and institutes, including the European Union Agency for Cybersecurity public organizations, including the Greek Ministry of Foreign Affairs, the (ENISA), the Greek Institute of Social Security (IKA), the General Hospital of Nikaia, the Greek Archaeological Receipts Fund, the Athens Water Supply & Sewerage Company, as well as with private companies, including INFO-QUEST and the Greek Lottery S.A.

Dr Karyda has participated in EU funded R&D projects, including EU Project ManyLaws Project, FP7 Project RESPONSIBILITY (Project Number 321489), EC 6th Framework Programme SERENITY “System Engineering for Security and Dependability” (IST-027587), and IST Programme e-VOTE (IST-2000-29518), in international research projects (DAMES-T programme funded by the Greek General Secretariat for Research and Technology and the Scientific and Technological Research Council of Turkey), as well as in national research programmes (PYTHAGORAS, Archimedes) funded by the Greek Ministry of Education.

Her published work includes more than 60 refereed articles in international journals and in proceeding of international conferences, as well as chapters in books in the areas of information security and privacy. She also serves as a referee for several scholar journal and has participated in the Programme Committee of several international conferences. She is a member of the ACM, IEEE, AIS and the Greek Computer Society.
 

Research Interests

Information Systems, Security and Privacy, Social Networks

Teaching Activities

 

Graduate Program:

  • "Information Systems Management"
  • "Systems Theory"
  • "IT Project Management"
  • "Information Systems Security"

Postgraduate Program:

  • "Ιnformation Systems"
  • "Ιnformation Systems in eGovernment"
  • "Information Systems Security Management"

Administrative Activities

 Director of the Information and Communication Systems Security Laboratory (Info-Sec-Lab)

Director of the MSc in Information and Communication Systems Postgraduate Program

Scientific And Professional Organizations Membership

Μέλος ACM, IEEE, AIS και ΕΠΥ

Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


Journals

A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, Exploring users’ attitude towards privacy-preserving search engines: A protection motivation theory approach, Information and Computer Security, 2023, Emerald Publishing Limited, https://www.emerald.com/insight/con...
 
Abstract
Search engines, the most popular online services, are associated with several concerns. Users are concerned about unauthorized processing of their personal data, as well as about search engines keeping track of their search preferences. Various search engines have been introduced to address these concerns, claiming that they protect users’ privacy. We call these search engines Privacy-Preserving Search Engines (PPSEs). In this paper, we investigate the factors that motivate search engine users to use PPSEs. To this aim, we adopted Protection Motivation Theory (PMT) and associated its constructs with subjective norms to build a comprehensive research model. We tested our research model using survey data from 830 search engine users worldwide. Our results confirm the interpretive power of PMT in privacy-related decision making and show that users are more inclined to take protective measures when they consider that data abuse is a more severe risk and that they are more vulnerable to data abuse. Furthermore, our results highlight the importance of subjective norms in predicting and determining PPSE use. Since subjective norms refer to perceived social influences from important others to engage or refrain from protective behavior, we reveal that the recommendation from people that users consider important motivates them to take protective measures and use PPSE.
[2]
Ioannis Stylios, A. Skalkos, M. Karyda, S. Kokolakis, BioPrivacy: a behavioral biometrics continuous authentication system based on keystroke dynamics and touch gestures, Information & Computer Security, Vol. 30, No. 5, pp. 687-704, 2022, Emerald Publishing Limited, https://www.emerald.com/insight/con...
A. Skalkos, Ioannis Stylios, M. Karyda, S. Kokolakis, Users’ Privacy Attitudes towards the Use of Behavioral Biometrics Continuous Authentication (BBCA) Technologies: A Protection Motivation Theory Approach, Journal of Cybersecurity and Privacy, Vol. 1, No. 4, pp. 24, 2021, MDPI, https://www.mdpi.com/2624-800X/1/4/...
 
Abstract
Smartphone user authentication based on passwords, PINs, and touch patterns raises several security concerns. Behavioral Biometrics Continuous Authentication (BBCA) technologies provide a promising solution which can increase smartphone security and mitigate users’ concerns. Until now, research in BBCA technologies has mainly focused on developing novel behavioral biometrics continuous authentication systems and their technical characteristics, overlooking users’ attitudes towards BBCA. To address this gap, we conducted a study grounded on a model that integrates users’ privacy concerns, trust in technology, and innovativeness with Protection Motivation Theory. A cross-sectional survey among 778 smartphone users was conducted via Amazon Mechanical Turk (MTurk) to explore the factors which can predict users’ intention to use BBCA technologies. Our findings demonstrate that privacy concerns towards intention to use BBCA technology have a significant impact on all components of PMT. Further to this, another important construct we identified that affects the usage intention of BBCA technology is innovativeness. Our findings posit the view that reliability and trustworthiness of security technologies, such as BBCA are important for users. Together, these results highlighted the importance of addressing users’ perceptions regarding BBCA technology.
[4]
T. Papaioannou, A. Tsohou, M. Karyda, Forming Digital Identities in Social Networks: The Role of Privacy Concerns and Self-Esteem, Information and Computer Security, Vol. 29, No. 2, pp. 240-262, 2021, Emerald,
V. Diamantopoulou, A. Tsohou, M. Karyda, From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR Compliance Controls, Information and Computer Security, Vol. 28, No. 4, 2020, Emerald, https://www.emerald.com/insight/con...
 
Abstract
Purpose – This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this work i) as a basis for extending the already existing security control modules towards data protection; ii) as guidance for reaching compliance with the Regulation. Design/methodology/approach – This study has followed a two-step approach; First synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013, and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, we identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings – The findings of this work include i) the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; ii) the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; iii) the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value – This work provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, Identifying the values associated with users’ behavior towards anonymity tools through means-end analysis, Computers in Human Behavior Reports, Vol. 2C, No. 100034, 2020, Elsevier, http://www.sciencedirect.com/scienc...
I. Topa, M. Karyda, From Theory to Practice: Guidelines for Enhancing Information Security Management, Journal of Information and Computer Security, Vol. 27, No. 3, pp. 326-342, 2019, Emerald Publishing
 
Abstract
This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005. Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices. The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards. This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance. This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.
K. Vemou, M. Karyda, Evaluating privacy impact assessment methods: guidelines and best practice, Information & Computer Security, 2019, Emerald Publishing Limited, https://doi.org/10.1108/ICS-04-2019...
 
Abstract
(Purpose) This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research. (Design/methodology/approach) This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed. (Findings) This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners. (Practical implications) The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance). (Originality/value) This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.
K. Vemou, M. Karyda, Requirements for Private Communications over Public Spheres, Information and Computer Security, Vol. 28, No. 1, pp. 68-96, 2019, Emerald Publishing Limited, https://doi.org/10.1108/ICS-01-2019...
 
Abstract
(Purpose) In the Web 2.0 era, users massively communicate through social networking services (SNS), often under false expectations that their communications and personal data are private. This paper aims to analyze privacy requirements of personal communications over a public medium. (Design/methodology/approach) This paper systematically analyzes SNS services as communication models and considers privacy as an attribute of users’ communication. A privacy threat analysis for each communication model is performed, based on misuse scenarios, to elicit privacy requirements per communication type. (Findings) This paper identifies all communication attributes and privacy threats and provides a comprehensive list of privacy requirements concerning all stakeholders: platform providers, users and third parties. (Originality/value) Elicitation of privacy requirements focuses on the protection of both the communication’s message and metadata and takes into account the public–private character of the medium (SNS platform). The paper proposes a model of SNS functionality as communication patterns, along with a method to analyze privacy threats. Moreover, a comprehensive set of privacy requirements for SNS designers, third parties and users involved in SNS is identified, including voluntary sharing of personal data, the role of the SNS platforms and the various types of communications instantiating in SNS.
[10]
P. Mavriki, M. Karyda, Automated data- driven profiling: Threats for group privacy, Information and Computer Security, 2019, Emerald , (to_appear),
P. Mavriki, M. Karyda, Big Data analysis in political communication: Implications for Group Privacy , International Journal of Electronic Governance, 2018, (to_appear)
 
Abstract
A growing body of academic literature explores the implications of the adoption of big data analytics technologies in the area of political marketing and communication. While academic and public discourse on privacy focuses on the individual level, this paper explores a scarcely studied issue: group privacy. We elaborate on the importance and role of group privacy and we identify and analyse threats to group privacy that stem from exploiting big data for political purposes. This paper argues that the use of big data analysis technologies in a political context can have severe implications for group privacy such as (political) targeting of particular groups and biased decision making based on group behaviour. We also show that threats to group privacy may have long term implications for society, e.g. with regard to the impact of populist movements.
A. Tsohou, M. Karyda, S. Kokolakis, Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs, Computers & Security, Vol. 52, pp. 128–141, 2015, Elsevier, https://www.researchgate.net/public..., indexed in SCI-E, IF = 1.17
 
Abstract
Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behaviour. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. Τhis paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behaviour. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behaviour. Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Available from: https://www.researchgate.net/publication/275898027_Analyzing_the_role_of_Cognitive_and_Cultural_Biases_in_the_Internalization_of_Information_Security_Policies_Recommendations_for_Information_Security_Awareness_Programs [accessed May 13, 2015].
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Managing the Introduction of Information Security Awareness Programs in Organisations, European Journal of Information Systems, Vol. 24, No. 1, pp. 38-58, 2015, Palgrave , https://www.researchgate.net/public..., indexed in SCI-E, IF = 2.213
 
Abstract
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
K. Vemou, M. Karyda, Guidelines and tools for incorporating privacy in Social Networking Platforms, IADIS International Journal on WWW/Internet, Vol. 12, No. 2, pp. 16-33, 2014, http://www.iadisportal.org/ijwi/
 
Abstract
Built-in privacy is important for promoting users’ privacy and trust in Social Networking Services (SNS). Up to now, privacy research has its focus on the development and employment of Privacy Enhancing Technologies as add-on applications and on investigating users’ privacy preferences. This paper draws on the principles of privacy-by-design and extends previous literature by identifying privacy requirements for the development of privacy-friendly SNS platforms. The paper also evaluates currently embedded privacy practices in four popular SNS platforms (Facebook, Google+, Twitter and Pinterest) to assess the level of built-in privacy and proposes a list of guidelines and tools SNS platform designers can employ.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Analyzing Trajectories of Information Security Awareness, Information Technology & People, Vol. 25, No. 3, 2012, Emerald, http://www.emeraldinsight.com/journ..., indexed in SCI-E, IF = 0.767
 
Abstract
Purpose – Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program. Design/methodology/approach – Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings. Findings – The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events. Practical implications – The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it. Originality/value – This study is one of the first to examine information security awareness as a managerial and socio-technical process within an organizational context.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Aligning Security Awareness with Information Systems Security Management, Journal of Information Systems Security, Vol. 6, No. 1, pp. 36-64, 2010, http://www.jissec.org/Contents/V6/N...
 
Abstract
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.
M. Karyda, S. Gritzalis, J. H. Park, S. Kokolakis, Privacy and Fair Information Practices in Ubiquitous Environments: Research Challenges and Future Directions, Internet Research, Vol. 19, No. 2, pp. 194-208, 2009, Emerald , http://www.emeraldinsight.com/journ..., indexed in SCI-E, IF = 0.844
 
Abstract
Purpose – This paper aims to contribute to the ongoing discourse about the nature of privacy and its role in ubiquitous environments and provide insights for future research. Design/methodology/approach – The paper analyses the privacy implications of particular characteristics of ubiquitous applications and discusses the fundamental principles and information practices used in digital environments for protecting individuals’ private data. Findings – A significant trend towards shifting privacy protection responsibility from government to the individuals is identified. Also, specific directions for future research are provided with a focus on interdisciplinary research. Research limitations/implications – This paper identifies key research issues and provides directions for future research. Originality/value – This study contributes by identifying major challenges that should be addressed, so that a set of “fair information principles” can be applied in the context of ubiquitous environments. It also discusses the limitations of these principles and provides recommendations for future research.
A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Investigating information security awareness: research and practice gaps, Information Security Journal: A Global Perspective, Vol. 17, No. 5&6, pp. 207–227, 2008, Taylor & Francis, http://www.tandfonline.com/doi/pdf/...
 
Abstract
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Process-Variance Models in Information Security Awareness Research, Information Management and Computer Security, Vol. 16, No. 3, pp. 271 – 287, 2008, Emerald , http://www.emeraldinsight.com/journ...
 
Abstract
Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes. Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology. Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness. Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications. Practical implications – The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ. Originality/value – The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.
S. Dritsas, L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Kokolakis, C. Lambrinoudakis, S. K. Katsikas, A knowledge-based approach to security requirements for e-health applications, The electronic Journal for E-Commerce Tools & Applications (eJETA), Special Issue on Emerging Security Paradigms in the Knowledge Era, 2006, http://www.ejeta.org/specialOct06-i...
 
Abstract
This paper introduces a knowledge-based approach for the security analysis and design of e-health applications. Following this approach, knowledge acquired through the process of developing secure e-health applications is represented in the form of security patterns; thus, it is made available to future developers. In this paper we present a set of security patterns that was developed based on the aforementioned approach. Security requirements for this set of patterns have been identified following a security and privacy analysis. The security patterns have been designed on the basis of a security ontology that was developed for this purpose. The ontology allows all concepts of importance and their relationships to be identified. The paper also describes the validation of the developed ontology, and compares the approach employed to other relevant methods in the domain of secure application development.
L. Mitrou, M. Karyda, Employees Privacy vs. Employers, Telematics and Informatics Journal, Vol. 14, No. 5, pp. 198-217, 2006, Elsevier , http://ac.els-cdn.com/S073658530500...
 
Abstract
This paper addresses the controversy between employees right to privacy and employers need to safeguard organizational resources by employing monitoring tools. It shows how organizations can formulate use policies, by applying basic principles for fair and lawful monitoring. A list of key points is presented, which organizations should take into account, for developing such policies. Finally, the paper explores how, widely accepted information security standards, such as the ISO 17799, can aid the attempt to address this controversy.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Formulating Information Systems Risk Management Strategies through Cultural Theory, Information Management and Computer Security, Vol. 14, No. 3, pp. 198-217, 2006, Emerald, http://www.emeraldinsight.com/journ...
 
Abstract
Purpose – The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders’ perception of risk and its effect on information system (IS) risk management. Design/methodology/approach – Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions. Findings – A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have. Research limitations/implications – The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS). Originality/value – IS security management overlooks stakeholders’ risk perception; for example,there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.
M. Karyda, L. Mitrou, G. Quirchmayr, A framework for outsourcing IS/IT security services, Information Management and Computer Security, Vol. 14, No. 5, pp. 402-415, 2006, Emerald , http://www.emeraldinsight.com/journ...
 
Abstract
Purpose – This paper seeks to provide an overview of the major technical, organizational and legal issues pertaining to the outsourcing of IS/IT security services. Design/methodology/approach – The paper uses a combined socio-technical approach to explore the different aspects of IS/IT security outsourcing and suggests a framework for accommodating security and privacy requirements that arise in outsourcing arrangements. Findings – Data protection requirements are a decisive factor for IS/IT security outsourcing, not only because they pose restrictions to management, but also because security and privacy concerns are commonly cited among the most important concerns prohibiting organizations from IS/IT outsourcing. New emerging trends such as outsourcing in third countries, pose significant new issues, with regard to meeting data protection requirements. Originality/value – The paper illustrates the reasons for which the outsourcing of IS/IT security needs to be examined under a different perspective from traditional IS/IT outsourcing. It focuses on the specific issue of personal data protection requirements that must be accommodated, according to the European Union directive.
M. Theoharidou, S. Kokolakis, M. Karyda, E. Kiountouzis, The insider threat to Information Systems and the effectiveness of ISO 17799, Computers and Security Journal, Vol. 24, No. 6, pp. 472-484, 2005, Elsevier , http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.430 (5-year)
 
Abstract
Insider threat is widely recognised as an issue of utmost importance for IS security management. In this paper, we investigate the approach followed by ISO17799, the dominant standard in IS security management, in addressing this type of threat. We unfold the criminology theory that has designated the measures against insider misuse suggested by the standard, i.e. the General Deterrence Theory, and explore the possible enhancements to the standard that could result from the study of more recent criminology theories. The paper concludes with supporting the argument for a multiparadigm and multidisciplinary approach towards IS security management and insider threat mitigation.
M. Karyda, E. Kiountouzis, S. Kokolakis, Information Systems Security: A Contextual Perspective, Computers and Security Journal, Vol. 24, No. 3, pp. 246-260, 2005, Elsevier , http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.430 (5-year)
 
Abstract
The protection of information systems is a major problem faced by organisations. The application of a security policy is considered essential for managing the security of information systems. Implementing a successful security policy in an organisation, however, is not a straightforward task and depends on many factors. This paper explores the processes of formulating, implementing and adopting a security policy in two different organisations. A theoretical framework based on the theory of contextualism is proposed and applied in the analysis of these cases. The contextual perspective employed in this paper illuminates the dynamic nature of the application of security policies and brings forth contextual factors that affect their successful adoption.

Conferences

Ioannis Stylios, A. Skalkos, S. Kokolakis, M. Karyda, BioPrivacy: Development of a Keystroke Dynamics Continuous Authentication System, ESORICS 2021 International Workshops. ESORICS 2021, pp. pp 158-170, 2021, Springer, https://link.springer.com/chapter/1...
 
Abstract
Session authentication schemes establish the identity of the user only at the beginning of the session, so they are vulnerable to attacks that tamper with communications after the establishment of the authenticated session. Moreover, smartphones themselves are used as authentication means, especially in two-factor authentication schemes, which are often required by several services. Whether the smartphone is in the hands of the legitimate user constitutes a great concern, and correspondingly whether the legitimate user is the one who uses the services. In response to these concerns, Behavioral Biometrics (BB) Continuous Authentication (CA) technologies have been proposed on a large corpus of literature. This paper presents a research on the development and validation of a BBCA system (named BioPrivacy), that is based on the user’s keystroke dynamics, using a Multi-Layer Perceptron (MLP). Also, we introduce a new behavioral biometrics collection tool, and we propose a methodology for the selection of an appropriate set of behavioral biometrics. Our system achieved 97.18% Accuracy, 0.02% Equal Error Rate (EER), 97.2% True Acceptance Rate (TAR) and 0.02% False Acceptance Rate (FAR).
P. Mavriki, M. Karyda, Big data analytics: From threating privacy to challenging democracy , eDemocracy 2019: 8th eDemocracy International Conference, pp. 16, 2019, (to_appear),
 
Abstract
The vast amount of accumulated information and the technologies that store, process and disseminate it are producing deep changes in society. The amount of data generated by Internet users poses great opportunities and significant challenges for political scientists. Having a positive effect in many fields, business intelligence and analytics tools are used increasingly for political purposes. Pervasive digital tracking and profiling, in combination with personalization, have become a powerful toolset for systematically influencing user behaviour. When used in political campaigns or in other efforts to shape public policy, privacy issues intertwine with electoral outcomes. The practice of targeting voters with personalized messages adapted to their personality and political views, has already raised debates about political manipulation; however, studies focusing on privacy are still scarce. Focusing on the democracy aspects and identifying the threats to privacy stemming from the use of big data technologies for political purposes, this paper identifies long -term privacy implications which may undermine fundamental features of democracy such as fair elections and political equality of all citizens. Furthermore, this paper argues that big data analytics raises the need to develop alternative narratives to the concept of privacy.
V. Diamantopoulou, A. Tsohou, M. Karyda, From ISO/IEC 27002:2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance, SECPRE 2019 3rd International Workshop on SECurity and Privacy Requirements, in conjunction with ESORICS 2019 Engineering, 2019, Springer LNCS, http://samosweb.aegean.gr/secpre201...
 
Abstract
With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.
[4]
T. Papaioannou, A. Tsohou, M. Karyda, Shaping Digital Identities in Social Networks: Data Elements and the Role of Privacy Concerns, 3rd International Workshop on SECurity and Privacy Requirements Engineering , 2019, Springer,
V. Diamantopoulou, A. Tsohou, M. Karyda, General Data Protection Regulation and ISO/IEC 27001:2013: Synergies of activities towards organisations, TrustBus 2019 16th International Conference on Trust, Privacy and Security in Digital Business, 2019, Springer LNCS, http://www.dexa.org/trustbus2019
 
Abstract
The General Data Protection Regulation that is already in effect for about a year now, provisions numerous adjustments and controls that need to be implemented by an organisation in order to be able to demonstrate that all the appropriate technical and organisational measures have been taken to ensure the protection of the personal data. Many of the requirements of the GDPR are also included in the ``ISO27k'' family of standards. Consequently, organisations that have applied ISO27k to develop an Information Security Management System (ISMS) are likely to have already accommodated many of the GDPR requirements. This work identifies synergies between the new Regulation and the well-established ISO/IEC 27001:2013 and proposes practices for their exploitation. The proposed alignment framework can be a solid basis for compliance, either for organisations that are already certified with ISO/IEC 27001:2013, or for others that pursue compliance with the Regulation and the ISO/IEC 27001:2013 to manage information security.
K. Vemou, M. Karyda, An Organizational Scheme for Privacy Impact Assessments, 15th European Mediterranean & Middle Eastern Conference on Information Systems, pp. 258-271, 2018, Springer, https://link.springer.com/chapter/1...
 
Abstract
The importance of Privacy Ιmpact Αssessment (PIA) has been emphasized by privacy researchers and its conduction is provisioned in legal frameworks, such as the European Union’s General Data Protection Regulation. However, it is still a complicated and bewildering task for organizations processing personal data, as available methods and guidelines fail to provide adequate guidance confusing organisations and PIA practitioners. This paper analyzes the interplay among PIA stakeholders and proposes an organizational scheme for successful PIA projects.
K. Vemou, M. Karyda, An Evaluation Framework for Privacy Impact Assessment Methods, 12th Mediterranean Conference on Information Systems (MCIS2018), 2018, Association of Information Systems (AIS), https://aisel.aisnet.org/mcis2018/5...
 
Abstract
Privacy Impact Assessment (PIA) methods guide the implementation of Privacy-by-Design principles and are provisioned in the European Union’s General Data Protection Regulation. As implementing a PIA is still an intricate task for organizations, this paper provides a critical review and assessment of generic PIA methods proposed by related research, Data Protection Authorities and Standard’s Or-ganizations. The evaluation framework is based on a comprehensive set of criteria elicited through a systematic analysis of relevant literature. This paper also identifies elements of PIA methods that re-quire further support or clarification as well as issues that still remain open, such as the need for im-plementation of supporting tools.
P. Mavriki, M. Karyda, Profiling with big data: identifying privacy implications for individuals, groups and society , The 12th Mediterranean Conference on Information Systems, 2018, https://aisel.aisnet.org/mcis2018/4...
 
Abstract
User profiling with big data raises critical issues regarding personal data and privacy. Until recently, privacy studies were focused on the control of personal data; due to big data analysis, however, new privacy issues have emerged with unidentified implications. This paper identifies and analyzes privacy threats that stem from data-driven profiling using a multi-level approach: individual, group and society. We analyze the privacy implications stemming from the generation of new knowledge used for automated predictions and decisions. We also argue that mechanisms are required to protect the privacy interests of groups as entities, independently of the interests of their individual members. Finally, this paper discusses privacy threat resulting from the cumulative effect of big data profiling.
I. Topa, M. Karyda, Usability Characteristics of Security and Privacy Tools: The User’s Perspective, 33rd IFIP TC 11 International Conference, SEC 2018 Held at the 24th IFIP World Computer Congress, WCC 2018, pp. 231–244, 2018, Springer Nature Switzerland AG 2018
 
Abstract
Abstract. Use of security and privacy tools is still limited for various reasons, including usability issues. This paper analyses usability characteristics of security and privacy tools by drawing on relevant literature and employing scenario-based questionnaires and interviews with 150 users to capture their views. Based on users’ feedback, we analyse the role of usability characteristics and identify critical issues such as transparency, control of personal data, design and accessibility and consistency. This paper provides insights into the multifaceted issue of usability of security tools from the users’ perspective and a comprehensive picture of users’ needs and expectations. Some of the findings of this study show that users regard as important that security and privacy tools incorporate usability characteristics relevant to installation, design and accessibility, control and automation, visible feedback, and locatable security settings. Furthermore, users encounter problems with understanding technical terms and report that the availability of tools among smartphones and operating systems is a usability issue.
P. Mavriki, M. Karyda, Using personalization technologies for political purposes: privacy implications, 7th International Conference on eDemocracy, pp. 33-46, 2017, Springer International Publishing AG, https://link.springer.com/chapter/1...
 
Abstract
A growing body of literature has recently focused on the adoption of personalization methods and tools traditionally used in e-commerce, in the area of political marketing and communication. However, the impact of adopting personalization applications for political purposes has not been studied yet. This paper contributes to filling this gap, by analyzing privacy threats stemming from the use of personalization tools for political purposes and identifying their impact on individuals and society. This paper also identifies issues that need further research, as big data, individual targeting, the development of behavioral science and sophisticated personalization techniques are reshaping political communication and pose new privacy risks.
[11]
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, INVESTIGATING THE VALUES THAT DRIVE THE ADOPTION OF ANONYMITY TOOLS: A LADDERING APPROACH, 11th Mediterranean Conference on Information Systems (MCIS 2017) , 2017, AIS Electronic Library (AISeL)
[12]
M. Karyda, FOSTERING INFORMATION SECURITY CULTURE IN ORGANISATIONS: A RESEARCH AGENDA, 11th Mediterranean Conference on Information Systems (MCIS 2017) , 2017, AIS Electronic Library (AISeL)
[13]
M. Karyda, L. Mitrou, Data Breach Notification: Issues and Challenges for Security Management, 10th MEDITERRANEAN CONFERENCE ON INFORMATION SYSTEMS, 2016,
I. Topa, M. Karyda, ANALYZING SECURITY BEHAVIOUR DETERMINATS FOR ENHANCING ISP COMPLIANCE AND SECURITY MANAGEMENT, 13th European, Mediterranean and Middle Eastern Conference on Information Systems(EMCIS) 2016, 2016
 
Abstract
Extant literature has identified a wide range of factors that influence employees’ compliance to organisational ISPs and shape security behaviour. Security management, however, has not embodied this knowledge as many studies employ different terms to refer to similar concepts or focus only on a specific aspect (e.g. cognitive or environmental issues), depending on the theoretical approach used. Literature provides limited directions to security managers on the effect of security behaviour determinants on security management. This paper provides a comprehensive analyis of factors that have been identified, through an extensive literature review. It also provides an analysis and discussion of how these factors can enhance information security policy compliance. This work provides a conceptual framework that can facilitate security managers understand employee security behaviour and assist them to improve current security management. The paper also identifies controversial findings in relevant literature and suggests issues that need further investigation.
K. Vemou, M. Karyda, Evaluating privacy practices in Web 2.0 services, 9th Mediterranean Conference on Information Systems, 2015, Association of Information Systems (AIS), https://aisel.aisnet.org/mcis2015/7...
 
Abstract
This paper discusses the effectiveness of privacy practices and tools employed by Web 2.0 service providers to facilitate users protect their privacy and respond to public pressure. By experimenting on three recently introduced tools, which claim to offer users access and choice on the data stored about them, we analyse their privacy preserving features. Research results indicate their limited effectiveness with regard to user privacy. We discuss discrepancy between stated goals of these privacy enhancing tools and actual goals these tools accomplish.
K. Vemou, G. Mousa, M. Karyda, On the low diffusion of Privacy-enhancing Technologies in Social Networking: results of an empirical investigation, 12th European, Mediterranean & Middle Eastern Conference on Information Systems 2015 (EMCIS2015), 2015
 
Abstract
This paper discusses the low adoption of PETs among SNS users, based on the results of an empirical investigation among users of social networking services. 170 members of 5 popular social networks provided information on how they protect their privacy, as well as on the most important factors guiding their decision to use privacy preserving tools or not. Research findings suggest that awareness of PETs is still low among social network users and that quality, effectiveness, cost and ease of use are critical factors influencing PETs adoption. A small number of users was also found not to employ any PETs, despite the fact that they reported being familiar with some of them. This paper enhances our understanding of PETs diffusion from the perspective of users and argues that usability aspects need to guide their design and implementation.
I. Topa, M. Karyda, Identifying Factors that Influence Employees’ Security Behavior for Enhancing ISP Compliance, 12th Trust, Privacy and Security in Digital Business International Conference, pp. 169-179, 2015, Springer International Publishing,
 
Abstract
Organizations apply information security policies to foster secure use of information systems but very often employees fail to comply with them. Employees’ security behavior has been the unit of analysis of research from different theoretical approaches, in an effort to identify the factors that influence security policy compliance. Through a systematic analysis of extant literature this paper identifies and categorizes critical factors that shape employee security behavior and proposes security management practices that can enhance security compliance. Research findings inform theory by identifying research gaps and support security management.
K. Vemou, M. Karyda, S. Kokolakis, Directions for Raising Privacy Awareness in SNS Platforms, 18th Panhellenic Conference on Informatics, pp. 1-6, 2014, ACM New York, http://dl.acm.org/citation.cfm?id=2...
 
Abstract
Members of online social networks are often under an illusion of privacy, underestimating privacy risks related to their personal information published in their profiles. Current literature identifies privacy awareness as a key factor for enhancing user privacy. This paper identifies awareness raising applications and explores the effectiveness of awareness tools and practices currently employed by six popular SNS platforms, through a combined approach of literature review and experimental use. Our findings illustrate that awareness practices differ significantly among platforms and fail to promote awareness. We also show that effective awareness raising tools, such as privacy signalling and visualization applications, are overlooked and propose directions to further enhance privacy awareness mechanisms in SNS platforms.
T. Spyridopoulos, I. Topa, T. Tryfonas, M. Karyda, A holistic approach for Cyber Assurance of Critical Infrastructure with the Viable System Model, 29th IFIP TC 11 International Conference, SEC 2014, pp. 438-445, 2014, Springer Berlin Heidelberg, http://link.springer.com/chapter/10...
 
Abstract
Industrial Control Systems (ICSs) are of the most important compo- nents of National Critical Infrastructure. They can provide control capabilities in complex systems of critical importance such as energy production and distribution, transportation, telecoms etc. Protection of such systems is the cornerstone of essential service provision with resilience and in timely manner. Effective risk management methods form the basis for the protection of an Industrial Control System. However, the nature of ICSs render traditional risk management methods insufficient. The proprietary character and the complex interrelationships of the various systems that form an ICS, the potential impacts outside its boundaries, along with emerging trends such as the exposure to the Internet, necessitate revisiting traditional risk management methods, in a way that treat an ICS as a system-of-systems rather than a single, one-off entity. Towards this direction, in this paper we present enhancements to the traditional risk management methods at the phase of risk assessment, by utilising the cybernetic construct of the Viable System Model (VSM) as a means towards a holistic view of the risks against Critical Infrastructure. For the purposes of our research, utilising VSM’s recur- sive nature, we model the Supervisory Control and Data Acquisition (SCADA) system, a most commonly used ICS, as a VSM and identify the various assets, in- teractions with the internal and external environment, threats and vulnerabilities.
K. Vemou, M. Karyda, Embedding privacy practices in social networking services, 7th IADIS International Conference Information Systems 2014, pp. 201-208, 2014, IADIS Press, http://www.iadisportal.org/digital-...
 
Abstract
Built-in privacy emerges as a necessity to keep users’ interest and trust in Social Networking Services. However, extant literature is dominated by research on developing and/or employing Privacy-Enhancing Technologies as add-ons and on exploring users’ privacy preferences, failing to provide explicit guidance on how to inscribe privacy from the early stages of SNS implementation. In this paper we draw upon the principles of privacy-by-design to propose a list of privacy requirements to drive privacy-friendly SNS design and discuss their implementation in four popular SNS platforms.
K. Vemou, M. Karyda, Α classification of factors influencing low adoption of PETs among SNS users, 10th International Conference on Trust, Privacy & Security in Digital Business, pp. 74-84, 2013, Springer, http://link.springer.com/chapter/10...
 
Abstract
Privacy concerns are rising among SNS users. However, privacy enhancing technologies are not, yet, widely deployed, moreover the rate at which their deployment has grown over the last few years has not been substantial. This is surprising given the fact that PETs are widely recognized as effective at reducing privacy risks. This paper discusses this paradox and tries to answer the question why PETs adoption by social network users is limited. It presents a framework of key factors that facilitates understanding of the issue and can serve as a guide for future research and practice.
S. Kokolakis, K. Anastasopoulou, M. Karyda, An Analysis of Privacy-related Strategic Choices of Buyers and Sellers in e-Commerce Transactions, 16th Panhellenic Conference on Informatics (PCI2012), 2012, CPS,
 
Abstract
E-commerce transactions, in addition to the exchange of goods and services for payment, often entail an indirect transaction, where personal data are exchanged for better services or lower prices. This paper analyses buyer’s and seller’s privacy-related strategic choices in e-commerce transactions through game theory. We demonstrate how game theory can explain why buyers mistrust internet privacy policies and relevant technologies (e.g. P3P) and sellers hesitate to invest in data protection.
R. El-Haddadeh , A. Tsohou, M. Karyda, Implementation challenges for information security awareness initiatives in e-Government, European Conference on Information Systems, 2012, AIS Electronic Library (AISeL),
 
Abstract
With the widespread adoption of electronic government services, there has been a need to ensure a seamless flow of information across public sector organizations, while at the same time, maintaining confidentiality, integrity and availability. Governments have put in place various initiatives and programs including information security awareness to provide the needed understanding on how public sector employees can maintain security and privacy. Nonetheless, the implementation of such initiatives often faces a number of challenges that impede further take-up of e-government services. This paper aims to provide a better understanding of the challenges contributing towards the success of information security awareness initiatives implementation in the context of e-government. Political, organizational, social as well as technological challenges have been utilized in a conceptual framework to signify such challenges in e-government projects. An empirical case study conducted in a public sector organization in Greece was exploited in this research to reflect on these challenges. While, the results from this empirical study confirm the role of the identified challenges for the implementation of security awareness programs in e-government, it has been noticed that awareness programmers often pursue different targets of preserving security and privacy, which sometimes results in adding more complexity to the organization.
L. Mitrou, M. Karyda, EU΄s Data Protection Reform and the right to be forgotten - A legal response to a technological challenge?, 5th International Conference of Information Law and Ethics, 2012,
 
Abstract
Technological and social phenomena like cloud computing, behavioural advertising, online social networks as well as globalisation (of data flows) have profoundly transformed the way in which personal data are processed and used. This paper discusses the efficiency of the legislation in force and the impact of PETs and the concept of privacy by design on the enforcement of data protection rules. By recognizing the need to update the data protection regulation as a result of current technological trends that threaten to erode core principles of data protection, the paper addresses the question if the Draft-Regulation presents an adequate and efficient response to the challenges that technological changes pose to regulators. In this context the paper focuses on the right to be forgotten as a comprehensive set of existing and new rules to better cope with privacy risks online in the age of “perfect remembering” and we how persistency and high availability of information limit the right of individuals to be forgotten. The paper deals with both the normative and the technical instruments and requirements so as to ensure that personal information will not be permanently retained.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Analyzing Information Security Awareness through Networks of Association, 7th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2010), pp. 227-237, 2010, Lecture Notes in Computer Science, Springer,
 
Abstract
Information security awareness is a continuous effort to raise attention to information security and its importance, in order to stimulate securityoriented behaviors. Despite the increasing interest of researchers on the topic and the continuous notifications of global security surveys for its significance, awareness remains a critical issue of information security. Related approaches propose techniques and methods for promoting security without theoretical grounding and separately from the overall information security management framework. The aim of this paper is to suggest a theoretical and methodological framework which facilitates the analysis and understanding of the issues that are intertwined with awareness activities, in order to support the organization’s security management.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Aligning Security Awareness with Information Systems Security Management, 4th Mediterranean Conference on Information Systems (MCIS09), 2009,
 
Abstract
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.
M. Karyda, S. Gritzalis, J. H. Park, A Critical Approach to Privacy Research in Ubiquitous Environments: Issues and Underlying Assumptions, TRUST’07 2nd International Workshop on Trustworthiness, Reliability, and Services in Ubiquitous and Sensor Networks, pp. 12-21, 2007, Lecture Notes in Computer Science LNCS, Springer, http://link.springer.com/content/pd...
 
Abstract
This paper explores the different aspects of ubiquitous environments with regard to the protection of individuals’ private life. A critical review of the relative research reveals two major trends. First, that there is a shift in the perception of privacy protection, which is increasingly considered as a responsibility of the individual, instead of an individual right protected by a central authority, such as a state and its laws. Second, it appears that current IT research is largely based on the assumption that personal privacy is quantifiable and bargainable. This paper discusses the impact of these trends and underlines the issues and challenges that emerge. The paper stresses that, for the time being, IT research approaches privacy in ubiquitous environments without taking into account the different aspects and the basic principles of privacy. Finally the paper stresses the need for multidisciplinary research in the area, and the importance that IT research receives input from other related disciplines such as law and psychology. The aim of the paper is to contribute to the on-going discourse about the nature of privacy and its role in ubiquitous environments and provide insights for future research.
C. Fragos, M. Karyda, E. Kiountouzis, Using the Lens of Circuits of Power in Information Systems Security Management, 4th International Conference on Trust, Privacy and Security in Digital Business (TrustBus ‘07), pp. 228-236, 2007, Springer,
 
Abstract
This paper uses the perspective of power in the study of IS security management. We explore the role of power in the implementation of an information systems security policy, using the Circuits of Power as a Framework for the analysis. A case study research was conducted in a public sector organization that introduced a security policy in order to comply with the law. The authors interviewed members of the organization to explore the different aspects of power relations which were intertwined with the implementation of the policy and used the Circuits of Power to analyze the data gathered. The conclusions derived from the analysis illustrate the role of power in the policy implementation process and indicate that a power perspective provides useful insight in the study of factors affecting the implementation of security policies.
M. Karyda, L. Mitrou, Internet Forensics: Legal and Technical issues, 2nd Annual Workshop on Digital Forensics and Incident Analysis (WDFIA 2007), pp. 3-12, 2007, IEEE,
 
Abstract
This paper provides a combined approach on the major issues pertaining to the investigation of cyber crimes and the deployment of Internet forensics techniques. It discusses major issues from a technical and legal perspective and provides general directions on how these issues can be tackled. The paper also discusses the implications of data mining techniques and the issue of privacy protection with regard to the use of forensics methods.
T. Balopoulos, L. Gymnopoulos, M. Karyda, S. Kokolakis, S. Gritzalis, S. K. Katsikas, A Framework for Exploiting Security Expertise in Application Development, TrustBus’06 3rd International Conference on Trust, Privacy, and Security in the Digital Business, pp. 62-70, 2006, Lecture Notes in Computer Science LNCS Vol. 4083, Springer, http://www.icsd.aegean.gr/publicati...
 
Abstract
This paper presents a framework that enables application developers make use of security expertise. This is succeeded with the help of security ontologies and the employment of security patterns. Through the development of a security ontology developers can locate the major security-related concepts and locate those relevant to the application context. Security patterns provide tested solutions for accommodating security requirements. Finally, the main features of the framework are listed with respect to related work.
L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Dritsas, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Developing a Security Patterns Repository for Secure Applications Design, ECIW 2006 5thEuropean Conference on Information Warfare and Security, pp. 51-60, 2006, ACL Academic Conferences Limited, http://www.icsd.aegean.gr/publicati...
 
Abstract
Application developers are often confronted with difficulties in choosing or embedding security mechanisms that are necessary for building secure applications, since this demands possessing expertise in security issues. This problem can be circumvented by involving security experts early in the development process. This practice, however, entails high costs; moreover communication between developers and security experts is usually problematic and security expertise is difficult to be captured and exploited by developers. This paper proposes that the process of building secure applications can be facilitated through the use of security patterns. It presents a security patterns repository that can provide developers with an effective mechanism to address the issue of incorporating security requirements and mechanisms in application development. The paper also specifies a list of patterns and describes their basic elements. For describing and managing the patterns, the paper proposes a structure that is especially suitable for the case of security patterns. The method followed for developing the security patterns repository entails the employment of a security ontology. Finally, the paper presents a set of exemplary cases where the repository can support the software development process. The paper’s contribution is an enhanced security patterns repository that allows application developers to benefit from the accumulated knowledge and expertise in the area of security, so that they are able to develop secure applications.
M. Karyda, T. Balopoulos, S. Dritsas, L. Gymnopoulos, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, An Ontology for Secure e-Government applications, DeSeGov’06 Workshop on Dependability and Security in eGovernment, pp. 1033-1037, 2006, IEEE CPS, http://ieeexplore.ieee.org/xpl/logi...
 
Abstract
This paper addresses the issue of accommodating security requirements in application development. It proposes the use of ontologies for capturing and depicting the security experts' knowledge. In this way developers can exploit security expertise in order to make design choices that help them fulfil security requirements more effectively. We have developed a security ontology for two different application scenarios to illustrate its use. To validate the ontology we have used queries.
S. Dritsas, L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Employing Ontologies for the Developmentof Security Critical Applications: The Secure e-Poll Paradigm, IFIP I3E International Conference on eBusiness,eCommerce, and eGovernemnt, pp. 187-201, 2005, Springer, http://link.springer.com/content/pd...
 
Abstract
Incorporating security in the application development process is a fundamental requirement for building secure applications, especially with regard to security sensitive domains, such as e-government. In this paper we follow a novel approach to demonstrate how the process of developing an e-poll application can be substantially facilitated by employing a specialized security ontology. To accomplish this, we describe the security ontology we have developed, and provide a set of indicative questions that developers might face, together with the solutions that ontology deployment provides.
S. Gritzalis, P. Belsis, M. Karyda, M. Chalaris, C. Skourlas, I. Chalaris, Designing the Provision of PKI services for eGovernment, HERCMA 2005 7th Hellenic European Research on Computer Mathematics and its Applications Conference, 2005, LEA publisher, http://www.aueb.gr/pympe/hercma/pro...
 
Abstract
The European Union has launched a comprehensive strategy framework and emerging actions on security and privacy issues. To this direction, a number of relevant initiatives have been put on (e.g. cyber security task force, awareness campaigns, promotion of good practices, improved exchange of information mechanisms, etc.). Their results will provide the basis for the work towards a secure information infrastructure. The key actions proposed for a secure information infrastructure, under the eEurope-2005 umbrella, include, between others, “Secure Communication between Public Services”, e.g. examination of the possibilities to establish a secure communications environment for the ex-change of government information. An important aspect towards this direction is the deployment of a Public Key Infrastructure (PKI). In this paper a good-practice guidance is described, on how a secure and efficient PKI can be developed to support secure and efficient Government-to-Government and Government-to-Citizen electronic communication.
T. Balopoulos, S. Dritsas, L. Gymnopoulos, M. Karyda, S. Kokolakis, S. Gritzalis, Incorporating Security Requirements into the Software Development Process, ECIW 2005 4th European Conference on Information Warfare and Security, pp. 21-28, 2005, Academic Conferences Limited, http://www.google.gr/books?hl=en&lr...
 
Abstract
Security requirements, such as authentication, confidentiality, authorization, availability, integrity and privacy, are becoming extremely common in software development processes. However, in practical terms, it has been proved that only rarely the developed software fulfils the related security requirements. The reason for this is twofold. On one hand software developers are not security experts and thus they are not competent in selecting and applying the appropriate security countermeasures. On the other hand, many security requirements are intrinsically difficult to deal with. This paper aims to address both of the aforementioned issues and to introduce potential solutions. It starts by analysing the major security requirements, and goes on to explore how they can be mapped into concrete security solutions or/and mechanisms. Then, it examines how the fulfilment of security requirements influences the choice of development methodologies and paradigms (with the emphasis being on the design phase), so that the requirements are effectively satisfied. The discussion covers object-oriented and aspect-oriented programming, the Rational Unified Process, UML and UMLsec, as well as security patterns, with regard to the ways they can support the use of security solutions or/and mechanisms.
M. Karyda, S. Kokolakis, E. Kiountouzis, Information Systems Security and the Structuring of Organisations, 7th International Conference on the Social and Ethical Impacts of Information and Communication Technologies (ETHICOMP 2004), pp. 451-461, 2004, University of the Aegean,
 
Abstract
This study explores the consequences of the introduction of a security plan into organisations by means of a case study of a non-governmental organisation for the treatment of individuals with drug addiction. The paper mainly focuses on the implications of the application of a security plan to the social system in the organisation. The framework for analysis used for the case study is based on the fundamental tenets of A. Giddens’ structuration theory. Structuration theory can be used as an analysis tool for studying the interplay between social structures and human agency and also provides the framework for taking into account aspects of organisational change. This study contributes to the stream of research on the implications of implementing security plans and policies in the organisational context, which is still in a very early stage.
C. Lambrinoudakis, S. Kokolakis, M. Karyda, V. Tsoumas, D. Gritzalis, S. K. Katsikas, Electronic Voting Systems: Security Implications of the Administrative Workflow, 14th International Workshop on Database and Expert Systems Applications (DEXA 2003), W06: International Workshop on Trust and Privacy in Digital Business (TrustBus), pp. 467-471, 2003, IEEE Computer Society Press,
 
Abstract
With the rapid growth of the Internet, online voting appears to be a reasonable alternative to conventional elections and other opinion expressing processes. Current research focuses on designing and building “voting protocols” that can support the voting process, while implementing the security mechanisms required for preventing fraud and protecting voter's privacy. However, not much attention has been paid to the administrative part of an electronic voting system that supports the actors of the system. Possible “security gaps” in the administrative workflow may result in deteriorating the overall security level of the system, even if the voting protocol implemented by the system succeeds to fully comply with the security requirements set for voting. To this direction, this paper describes the responsibilities and privileges of the actors involved in the electronic voting process. The description of the role of each actor, together with the clear indication of what each actor is expected - and thus allowed - to do with the system, formulate an operational framework that complements the technological security features of the system and allows us to talk about “secure electronic voting systems”.
M. Karyda, S. Kokolakis, E. Kiountouzis, Content, Context, Process Analysis of IS Security Policy Formation, 18th IFIP International Conference on Information Security, pp. 145-156, 2003, Kluwer Academic Publishers,
 
Abstract
Security management is now acknowledged as a key constituent of Information Systems (IS) management. IS security management traditionally relies on the formation and application of security policies. Most of the research in this field address issues regarding the structure and content of security policies; whereas the context within which security policies are conceived and developed remains rather unexplored. However, security policies that are formed without taking into account the specific social and organisational environment within which they will be applied, are often proven to be inapplicable or ineffective. In this paper we explore the issues pertaining to the formation of security policies under the perspective of contextualism. Within the framework of contextualism, we study the context, content and process of IS security policies development. This paper aims to contribute to IS security research by bringing forth the issue of context-dependent formation of security policies. In addition, it provides a contextual framework, which we expect to improve the effectiveness of IS security policies development.
D. Gritzalis, M. Karyda, L. Gymnopoulos, Elaborating Quantitative Approaches for IT Security Evaluation, 17th International Conference on Information Security (SEC 2002), pp. 67-77, 2002, Kluwer Academic Publishers,
 
Abstract
Information Systems security evaluation is a sine qua non requirement for effective IT security management, as well as for establishing trust among different but cooperating business partners. This paper initially provides a critical review of traditionally applied evaluation and certification schemes. Based upon this review, the paper stresses the need for an approach that is quantitative in nature and can address the problem of IS operational security. Then, such an approach is presented, mainly based on an existing complex of models (CEISOQ) for evaluating IS operation quality. It is argued that there are certain benefits if this approach is applied in combination with the traditional qualitative ones.
M. Karyda, S. Kokolakis, E. Kiountouzis, Redefining Information Systems Security: Viable Information Systems, 16th IFIP International Conference on Information Security (SEC 2001), pp. 453-467, 2001, Kluwer Academic Publishers,
 
Abstract
Research on Information Security has been based on a well-established definition of the subject. Consequently, it has delivered a plethora of methods, techniques, mechanisms and tools to protect the so-called security attributes (i.e. availability, confidentiality and integrity) of information. However, modern Information Systems (IS) appear rather vulnerable and people show mistrust on their ability to deliver the services expected. This phenomenon leads us to the conclusion that information security does not necessarily equal IS security. In this paper, we argue that IS security, contrary to information security, remains a confusing term and a neglected research area. We attempt to clarify the meaning and aims of IS security and propose a framework for building secure information systems, or as we suggest them to be called, viable information systems.
S. Kokolakis, M. Karyda, D. Gritzalis, Information systems security management in virtual organizations, 4th International Conference on Security in Information Systems (SIS2000), pp. 109-125, 2000,
 
Abstract
The virtual organization is a new form of organization possessing the characteristic of incorporating business units with a high degree of autonomy. This form of organization, which is expected to become the dominant organizational paradigm for the 21st century, strongly depends on the effectiveness of cooperation among the autonomous Information Systems (IS) of each business unit. Developing a security policy and installing security controls for each IS appears as a prerequisite for the survival of the virtual organization, but on the other hand it may severely hinder IS cooperation, as policies and controls often give rise to conflicts and interoperability problems. In this paper, we analyse the problem of managing IS security in multi-policy environments and introduce a Security Policies Management System (SPMS) that facilitates the management of IS security in virtual organizations and supports the resolution of conflicts between security policies.