Lillian Røstad

• Jaatun, Martin Gilje; Cruzes, Daniela Soares; Bernsmed, Karin; Tøndel, Inger Anne & Røstad, Lillian (2015). Software Security Maturity in Public Organisations. Lecture Notes in Computer Science (LNCS). ISSN 0302-9743. 9290, p. 120–138. doi: 10.1007/978-3-319-23318-5_7. Show summary

  Software security is about building software that will be secure even when it is attacked. This paper presents results from a survey evaluating software security practices in software development lifecycles in 20 public organisations in Norway using the practices and activities of the Building Security In Maturity Model (BSIMM). The findings suggest that public organisations in Norway excel at Compliance and Policy activities when developing their own code, but that there is a large potential for improvement with respect to Metrics, Penetration testing, and Training of developers in secure software development.

• Balon-Perin, Alexandre; Gambäck, Björn & Røstad, Lillian (2012). Intrusion Detection Using Ensembles. In Mannaert, Herwig (Eds.), Seventh International Conference on Software Engineering Advances 2012 (ICSEA 2012). Xpert Publishing Services. ISSN 9781622765843. p. 656–663.
• Røstad, Lillian & Nerbråten, Øyvind (2009). hAcmeGame: A Tool for Teaching Software Security. In Makoto, Takizawa (Eds.), Proceedings of the The Forth International Conference on Availability, Reliability and Security, ARES 2009. IEEE. ISSN 9780769535647. p. 811–817.
• Røstad, Lillian & Alsos, Ole Andreas (2009). Patient-Administered Access Control: a Usability Study. In Makoto, Takizawa (Eds.), Proceedings of the The Forth International Conference on Availability, Reliability and Security, ARES 2009. IEEE. ISSN 9780769535647. p. 877–882.
• Røstad, Lillian; Meland, Per Håkon; Tøndel, Inger Anne & Øie, Gunnar Rene (2008). Learning by Failing (and Fixing). IEEE Security and Privacy. ISSN 1540-7993. 6(4), p. 54–56. Show summary

  Vulnerable software is one of the main challenges the IT industry faces today. According to Symantec's Internet Security Threat Report,1 of the 2,461 security vulnerabilities discovered in the first half of 2007, more than 60 percent related to Web applications. To build better and more secure applications, developers need security knowledge. Until very recently, hardly any universities focused on teaching students how to build secure software—and many still don't. It's possible for a student to complete an education as a software engineer without learning anything about how to build secure systems. At the Norwegian University of Science and Technology, we've offered a course on software security for two years now (fall 2006 and 2007). We developed this popular course in close cooperation with SINTEF, a Norwegian research foundation closely tied to the university. In both years, we had more than 60 students, which is rather high for an elective class. Approximately 150 to 200 students are eligible to take the class, and they can choose from 15 to 20 different classes. Here, we present our experiences in teaching the course. Because software security is a relatively new course topic, there isn't much previous experience to review when developing such a curriculum. So, we focus on our class exercises, which have been crucial to the course. We hope our experiences provide valuable input to others and start an ongoing discussion on how best to teach software security.

• Røstad, Lillian (2008). An Initial Model and a Discussion of Access Control in Patient Controlled Health Records. In Werner, Bob (Eds.), Proceedings of the The Third International Conference on Availability, Reliability and Security, ARES 2008. IEEE. ISSN 0769531024. p. 935–942.
• Røstad, Lillian & Nytrø, Øystein (2008). Personalized Access Control for a Personally Controlled Health Record. In Jaeger, Trent (Eds.), Proceedings of the 2nd ACM workshop on Computer security architectures. Association for Computing Machinery (ACM). ISSN 978-1-60558-300-6. p. 9–16.
• Røstad, Lillian & Nytrø, Øystein (2008). Towards Dynamic Access Control for Healthcare Information Systems. In Andersen, Stig Kjær; Klein, Gunnar O.; Schulz, Stefan; Aarts, Jos & Mazzoleni, M. Cristina (Ed.), eHealth Beyond the Horizon – Get IT There - Proceedings of MIE2008 – The XXIst International Congress of the European Federation for Medical Informatics. IOS Press. ISSN 978-1-58603-864-9. p. 703–708.
• Røstad, Lillian; Meland, Per Håkon; Tøndel, Inger Anne & Nytrø, Øystein (2007). Access Control and Integration of Health Care Systems: An Experience Report and Future Challenges. In Man Tho, Nguyen (Eds.), Proceedings from the Second International Conference on Availability, Reliability and Security (ARES 2007). IEEE. ISSN 0-7695-2775-2.
• Røstad, Lillian (2006). An extended misuse case notation: Including vulnerabilities and the insider threat. In Peter, Sawyer (Eds.), Proceedings of The Twelfth Working Conference on Requirements Engineering: Foundation for Software Quality. Essener Informatik Beitrage. ISSN 3-922602-26-6.
• Røstad, Lillian & Edsberg, Ole (2006). A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs. In Werner, Bob (Eds.), Proceedings of the 22nd Annual Computer Security Applications Conference. IEEE. ISSN 0-7695-2716-7. p. 175–183.
• Stav, Erlend; Walderhaug, Ståle; Tomassen, Stein Løkke; Røstad, Lillian & Moe, Nils Brede (2006). MAFIIA - an Architectural Description Framework: Experience from the Health Care Domain. In Konstantas, D; Bourrières, J.-P.; Léonard, M. & Boudjlida, N. (Ed.), Interoperability of Enterprise Software and Applications. Springer Publishing Company. ISSN 1-84628-151-2. p. 43–54. Show summary

  Interoperability: the ability of a system or a product to work with other systems or products without special effort from the user is a key issue in manufacturing and industrial enterprise generally. It is fundamental to the production of goods and services quickly and at low cost at the same time as maintaining levels of quality and customisation. While data exchange and IT applications are vital contributions to successful interoperability, communications and common semantics can be just as important between businesses. Composed of more than 40 papers of international authorship, Interoperability of Enterprise Software and Applications ranges from academic research through case studies to industrial experience of interoperability. Many of the papers have examples and illustrations calculated to deepen understanding and generate new ideas. The INTEROP-ESA’05 conference from which this book is drawn was sponsored by the European Union and the Swiss federal government under the IST research program and was further supported by International Society for Information Processing and the Association for Computing Machinery. A concise reference to the state of the art in software interoperability, Interoperability of Enterprise Software and Applications will be of great value to engineers and computer scientists working in manufacturing and other process industries and to software engineers and electronic and manufacturing engineers working in the academic environment.

View all works in Cristin

• Bartnes, Maria & Røstad, Lillian (2019). Hva er egentlig rett og galt for roboter? . Dagens næringsliv. ISSN 0803-9372.
• Jaatun, Martin Gilje; Scandariato, Riccardo & Røstad, Lillian (2014). Guest Editorial Preface - Special Issue on 7th International Workshop on Secure Software Engineering (SecSE 2013). International Journal of Secure Software Engineering (IJSSE). ISSN 1947-3036. 5(2), p. iv–vi.
• Faxvaag, Arild; Røstad, Lillian; Tøndel, Inger Anne; Seim, Andreas Røsland & Toussaint, Pieter Jelle (2009). Visualizing patient trajectories on wall-mounted boards — information security challenges. Show summary

  Since operating room departments are among the costliest resources at a hospital, much attention is devoted to maximize their utilization. Operating room activities are however notoriously hard to plan in advance. This has to do with the unpredictable, problem-solving nature of the work and that the work is carried out by a multidisciplinary team of health personnel, members of which also have commitments outside the operating room department. We assume that operating room teams have the capacity to coordinate themselves and that coordination might be facilitated by visualizing relevant information on wall-mounted boards. To characterize clinical situations that require coordination and re-planning of the teams’ work, we have developed a realistic scenario. We analyse and discuss the information security challenges that follow from displaying information on the whereabouts of other teams, actors and patients on wall-mounted boards in the operating rooms. Information security threats could be mitigated by de-identification techniques. Information demands could thereby be met without sacrificing the privacy of those whose information is displayed.

• Røstad, Lillian (2005). Access Control in Healthcare Applications.
• Røstad, Lillian (2004). Access Control for Distributed Health Care Applications.
• Røstad, Lillian (2009). Access Control in Healthcare Information Systems. NTNU-trykk. ISSN 978-82-471-1259-5. 2009(24).
• Røstad, Lilian; Nytrø, Øystein; Moe, Nils Brede & Stav, Erlend (2003). Sikkerhetsarkitektur for PlanBasert Samarbeidsjournal SPBS v.1. [Mangler utgivernavn]. ISSN 82-14-03097-8. Show summary

  Denne rapporten beskriver første versjon av en arkitektur for et informasjonssystem som støtter samhandling om individuelle planer. Arkitekturen er et resultat av prosjektet �Planbasert samarbeidsjournal for helhetlige individuelle psykiatriplaner � delprosjekt teknologiutvikling� som er finansiert av Norges forskningsråd, program for IKT i medisin og helsetjeneste. Arkitekturbeskrivelsen er laget ved hjelp av metoderammeverket MAFIIA/H. Hovedfokus i denne versjonen av arkitekturen har vært å beskrive systemets omgivelser, krav og de overordnede komponentene som skal være med. Arbeidet har vært fokusert på å identifisere aktuelle brukere av systemet, og hvilke funksjoner og informasjon de skal ha tilgang til. Det er mange instanser som skal delta i samhandling om individuell plan, derfor er en av hovedutfordringene å sørge for at brukere av systemet til enhver tid kun har tilgang til den informasjon de har rett til, og behov for å se. Sikkerhet er derfor viktig. Med sikkerhet mener vi informasjonssikkerhet, og fokus er først og fremst på tilgangsstyring. Tilgangsstyring betyr at brukere av systemet kun har tilgang til det de har rett til å se, i kraft av den rolle de til enhver tid innehar i forhold til den aktuelle planen

View all works in Cristin