Lothar Fritsch

• Wairimu, Samuel; Iwaya, Leonardo Horn; Fritsch, Lothar & Lindskog, Stefan (2024). On the Evaluation of Privacy Impact Assessment and Privacy Risk Assessment Methodologies: A Systematic Literature Review. IEEE Access. ISSN 2169-3536. 12, s. 19625–19650. doi: 10.1109/ACCESS.2024.3360864. Vis sammendrag

  Assessing privacy risks and incorporating privacy measures from the onset requires a comprehensive understanding of potential impacts on data subjects. Privacy Impact Assessments (PIAs) offer a systematic methodology for such purposes, which are closely related to Data Protection Impact Assessments (DPIAs), particularly outlined in Article 35 of the General Data Protection Regulation (GDPR). The core of a PIA is a Privacy Risk Assessment (PRA). PRAs can be integrated as part of full-fledged PIAs or independently developed to support PIA processes. Although these methodologies have been identified as essential enablers of privacy by design, their effectiveness has been criticized because of the lack of evidence of their rigorous and systematic evaluation. Hence, we conducted a Systematic Literature Review (SLR) to identify published PIA and PRA methodologies and assess how and to what extent they have been scientifically validated or evaluated. We found that these methodologies are rarely evaluated for their performance in practice, and most of them have only been validated in limited studies. Most validation evidence is found with PRA methodologies. Of the evaluated methodologies, PIAs were the most evaluated, where case studies were the predominant evaluation method. These evaluated methodologies can be easily transferred to an industrial setting or used by practitioners, as they provide evidence of their use in practice. In addition, the findings in this study can be used to inform researchers of the current state-of-the-art, and practitioners can understand the benefits and current limitations of the methodologies and adopt evidence-based practices.

• Iwaya, Leonardo Horn; Nordin, Anna; Fritsch, Lothar; Børøsund, Elin; Johansson, Margareta & Varsi, Cecilie [Vis alle 7 forfattere av denne artikkelen] (2023). Early Labour App: Developing a practice-based mobile health application for digital early labour support. International Journal of Medical Informatics. ISSN 1386-5056. 177. doi: 10.1016/j.ijmedinf.2023.105139. Fulltekst i vitenarkiv Vis sammendrag

  Background: Pregnant women in early labour have felt excluded from professional care, and their partners have been restricted from being involved in the birthing process. Expectant parents must be better prepared to deal with fear and stress during early labour. There is a need for evidence-based information and digital applications that can empower couples during childbirth. Objective: To develop and identify requirements for a practice-based mobile health (mHealth) application for Digital Early Labour Support. Methods: This research started with creating an expert group composed of a multidisciplinary team capable of informing the app development process on evidence-based practices. In consultation with the expert group, the app was built using an agile development approach (i.e., Scrum) within a continuous software engineering setting (i.e., CI/CD, DevOps), also including user and security tests. Results: During the development of the Early Labour App, two main types of challenges emerged: (1) user challenges, related to understanding the users’ needs and experience with the app, and (2) team challenges, related to the software development team in particular, and the necessary skills for translating an early labour intervention into a digital solution. This study reaffirms the importance of midwife support via blended care and the opportunity of complementing it with an app. The Early Labour App was easy to use, the women needed little to no help, and the partner’s preparation was facilitated. The combination of the app together with blended care opens up awareness, thoughts and feelings about the method and provides good preparation for the birth. Conclusion: We propose the creation of the Early Labour App, a mHealth app for early labour support. The preliminary tests conducted for the Early Labour App show that the app is mature, allowing it to be used in the project’s Randomised Control Trial, which is already ongoing.

• Fritsch, Lothar (2023). Electronic identity mass compromize: Options for recovery. I Roßnagel, Heiko; Schunk, Christian H. & Günther, Jochen (Red.), Open Identity Summit 2023. Gesellschaft für Informatik. ISSN 978-3-88579-729-6. s. 141–146. doi: 10.18420/OID2023_13. Vis sammendrag

  A National Digital Identity Framework should be designed in a proactive manner, should focus on a resilience-oriented approach, and should be aimed at limiting the risks that may originate from identity data management [IT18]. What is the preparedness of digital identity providers for recovery from compromise that affects large numbers of identities? Failures or attacks may destroy authenticators, data or trust chains that are the foundations of large identity ecosystems. The re-issuance of digital identities, of authenticators or the re-enrollment of the user base should get planned as contingency measures. Important parameters will be recovery time, complexity of re-registering subjects, distribution of effort between certification authorities, registrars and relying parties, and the availability of alternative technologies and staff resources. The article will, based on a review of standards and requirements documents, present evidence for a shortage of recovery readiness that endangers relying parties and identity ecosystems. From a review of standards and practice, we extract recovery procedures as far as they are planned for.

• Fritsch, Lothar; Alzarqawee, Aws Naser Jaber & Yazidi, Anis (2023). An overview of artificial intelligence used in malware. I Zouganeli, Evi; Yazidi, Anis; Borges Moreno e Mello, Gustavo & Lind, Pedro (Red.), Nordic Artificial Intelligence Research and Development: 4th Symposium of the Norwegian AI Society, NAIS 2022, Oslo, Norway, May 31-June 1, 2022, Revised Selected Papers. Springer Nature. ISSN 9783031170294. Vis sammendrag

  Artificial intelligence (AI) and machine learning (ML) methods are increasingly adopted in cyberattacks. AI supports the establishment of covert channels, as well as the obfuscation of malware. Additionally, AI results in new forms of phishing attacks and enables hardto- detect cyber-physical sabotage. Malware creators increasingly deploy AI and ML methods to improve their attack’s capabilities. Defenders must therefore expect unconventional malware with new, sophisticated and changing features and functions. AI’s potential for automation of complex tasks serves as a challenge in the face of defensive deployment of anti-malware AI techniques. This article summarizes the state of the art in AI-enhanced malware and the evasion and attack techniques it uses against AI-supported defensive systems. Our findings include articles describing targeted attacks against AI detection functions, advanced payload obfuscation techniques, evasion of networked communication with AI methods, malware for unsupervised-learning-based cyberphysical sabotage, decentralized botnet control using swarm intelligence and the concealment of malware payloads within neural networks that fulfill other purposes. Keywords: Information Security, Artificial Intelligence, Malware, Steganography, Covert Channels, Machine Learning, Adverse Artificial Intelligence

• Alzarqawee, Aws Naser Jaber & Fritsch, Lothar (2023). Towards AI-powered Cybersecurity Attack Modeling with Simulation Tools: Review of Attack Simulators. I Leonard, Barolli (Red.), Advances on P2P, Parallel, Grid, Cloud and Internet Computing Proceedings of the 17th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC-2022). Springer. ISSN 978-3-031-19945-5. s. 249–257. doi: https:/doi.org/10.1007/978-3-031-19945-5_25. Vis sammendrag

  Cybersecurity currently focuses primarily on defenses that detect and prevent cyber-attacks. However, it is more important to regularly verify an organization’s security posture to reinforce its cybersecurity defenses as the IT environment becomes more complex and competitive. Confronted with an increasing use of artificial intelligence (AI) in cyber attacks, attack simulation platforms need to allow software vulnerabilities to be found against AI-powered attacks too. Such simulators will enable defenders to maintain a basic safety level and gain control over their security posture. Gradually, we are moving towards smart and autonomous platforms. This paper reviews established cyberattack simulation scientific research techniques with the goal of presenting a selection of tools and platforms that minimize the biases and inaccuracies inherent in traditional, isolated ad hoc research on A-powered cyberattacks.

• Wairimu, Samuel & Fritsch, Lothar (2022). Modelling privacy harms of compromised personal medical data - beyond data breach, ARES 2022: The 17th International Conference on Availability, Reliability and Security. Association for Computing Machinery (ACM). ISSN 978-1-4503-9670-7. s. 1–9. doi: 10.1145/3538969.3544462. Vis sammendrag

  What harms and consequences do patients experience after a medical data breach? This article aims at the improvement of privacy impact analysis for data breaches that involve personal medical data. The article has two major findings. First, scientific literature does not mention consequences and harms to the data subjects when discussing data breaches in the healthcare sector. For conceptualizing actual documented harm, we had to search court rulings and popular press articles instead. We present the findings of our search for empirically founded harms in the first part of the article. Second, we present a modified PRIAM assessment method with the goal of better assessment of harms and consequences of such data breaches for the patient/employee data subject in healthcare. We split the risk assessment into parallel categories of assessment rather than calculating a single risk score. In addition, we quantify the original PRIAM categories into a calculus for risk assessment. The article presents our modified PRIAM which is the result of these modifications. Our overall contribution is the collection of actual harms and consequences of e-health data breaches that complement the overly theoretical discussion in publications. With our operationalization of PRIAM and by providing a catalog of real harms examples, we focus privacy impact assessment on actual harms to persons.

• Fritsch, Lothar; Mecaliff, Marie; Opdal, Kathinka; Rundgreen, Mathias & Sachse, Toril S. (2022). Towards robustness of keyboard-entered authentication factors with thermal wiping against thermographic attacks. I Roßnagel, Heiko; Schunk, Christian H. & Mödersheim, Sebastian (Red.), Open Identity Summit 2022, LNI Volume P325. Gesellschaft für Informatik. ISSN 978-3-88579-719-7. s. 15–26. doi: 10.18420/OID2022_01. Vis sammendrag

  Many authentication methods use keyboard entry for one of their authentication factors. Keyboards factors have been compromised exploiting physical fingerprints, substances from fingers visible on keys, with acoustic recordings through mobile phones, and through video reflections captured by high-resolution cameras used for video conferencing. Heat transfer from human fingers to keypads is an additional attack channel that has been demonstrated. There are few mitigation measures published against this type of attack. This article summarizes the feasibility of thermographic attacks against computer keyboards and against door pin pads, as well as the efficiency of the scrubbing technique deployed in order to counter thermographic attacks. For this purpose, a series of experiments with small, mobile thermal cameras were carried out. We report findings such as time intervals and other constraints for successful laboratory observation of authentication factors, describe scrubbing methods and report the performance of those methods.

• Naser Jaber, Aws; Fritsch, Lothar & Haugerud, Hårek (2022). Improving Phishing Detection with the Grey Wolf Optimizer , 2022 International Conference on Electronics, Information, and Communication (ICEIC 2022) . IEEE (Institute of Electrical and Electronics Engineers). ISSN 9781665409353. doi: 10.1109/ICEIC54506.2022.9748592. Vis sammendrag

  With the recent epidemic of COVID-19-themed scam and phishing, the efficient automated detection of such attacks is crucial. Although many anti-phishing solutions, such as lists and similarity and heuristic-based approaches detect attacks, methods still can be improved. Classification accuracy is highly dependent on the feature selection method used to select appropriate features for classification. In this article, a multi-objective grey wolf optimizer is used to select proper features for classifying phishing websites through a variational autoencoder. Our results indicate the superiority of the classification rate compared with related work: A classification rate of 97.49%, is obtained, thereby suggesting the feasibility of evaluating our work.

• Nordin, Anna; Ängeby, Karin & Fritsch, Lothar (2022). Body-Area Sensing in Maternity Care: Evaluation of Commercial Wristbands for Pre-birth Stress Management. I Ur Rehman, Masood & Zoha, Ahmed (Red.), Body Area Networks. Smart IoT and Big Data for Intelligent Health Management. 16th EAI International Conference, BODYNETS 2021, Virtual Event, October 25-26, 2021, Proceedings. Springer. ISSN 978-3-030-95592-2. s. 168–175. doi: https:/doi.org/10.1007/978-3-030-95593-9_14. Vis sammendrag

  Many women use digital tools during pregnancy and birth. There are many existing mobile applications to measure quantity and length of contractions during early labour, but there is a need to offer evidence-based, credible electronic and digital solutions to parents-to-be. This article presents ongoing research work in a research project regarding mobile telemetric supported maternity care. It summarizes an approach for stress management in late maternity and under birth preparation that is based on body area sensing, our investigation of the properties of commercially available wearable wristbands for body sensing, and the insights gained from testing the wristbands from the project’s perspective. We found that sensing precision is very variable depending on the wristband model, while the flows of medical personal data exclusively are routed through vendor cloud platforms outside the EU. The impact of our findings for the use of commercial wristbands in European medical research and practice is discussed in the conclusion.

• Alzarqawee, Aws Naser Jaber & Fritsch, Lothar (2021). COVID-19 and Global Increases in Cybersecurity Attacks: Review of Possible Adverse Artificial Intelligence Attacks. I Jiamset, Keerapat; Kamolphiwong, Sinchai; Pongbangpho, Supakorn & Cheawsuwan, Thitirath (Red.), 25th International Computer Science and Engineering Conference (ICSEC). IEEE (Institute of Electrical and Electronics Engineers). ISSN 978-1-6654-1197-4. s. 434–442. doi: 10.1109/ICSEC53205.2021.9684603. Vis sammendrag

  The World Health Organization's (WHO) coronavirus disease dashboard has recorded over 207 million confirmed infections and over 4 million deaths. There has been an increasing vulnerability in cybersecurity amongst businesses, gov- ernments and individuals worldwide because the COVID-19 pandemic has led to additional online activities. Accordingly, many people have turned to online work whilst the world is locked down. Thus, warnings have been issued by cybersecurity agencies that the number of cyber threat actors is increasing, and that they are improving in terms of stealing money, personal information and intellectual property. Opportunities for cybercrimes have increased, and COVID-19 is an effective lure. New methods for adverse artificial intelligence (AI)-empowered cyberattacks have been developed, or will be in the near future, using various weaponisations of AI under the COVID-19 umbrella. For this reason, this study reviewed and summarised how and when the most recent cyberattack trends can successfully exploit COVID-19 as a context for attack. Additionally, a summary of the state of knowledge of adverse AI is given, and its potential within the COVID-themed security threats, including defenses, is discussed.

• Bisztray, Tamas; Gruschka, Nils; Bourlai, Thirimachos & Fritsch, Lothar (2021). Emerging Biometric Modalities and their Use: Loopholes in the Terminology of the GDPR and Resulting Privacy Risks. I Brömme, Arslan; Busch, Christoph; Damer, Naser; Dantcheva, Antitza; Gomez-Barrero, Marta; Raja, Kiran; Rathgeb, Christian; Sequeira, Ana F. & Uhl, Andreas (Red.), Proceedings of the 20th International Conference of the Biometrics Special Interest Group (BIOSIG2021). Gesellschaft für Informatik. ISSN 978-1-6654-2693-0. s. 81–90. Vis sammendrag

  Technological advancements allow biometric applications to be more omnipresent than in any other time before. This paper argues that in the current EU data protection regulation, classification applications using biometric data receive less protection compared to biometric recognition. We analyse preconditions in the regulatory language and explore how this has the potential to be the source of unique privacy risks for processing operations classifying individuals based on soft traits like emotions. This can have high impact on personal freedoms and human rights and, therefore, should be subject to data protection impact assessment.

• Zibuschka, Jan & Fritsch, Lothar (2021). Mapping Identity Management in Data Lakes. I Roßnagel, Heiko; Schunk, Christian & Mödersheim, Sebastian (Red.), Open Identity Summit 2021 Proceedings. Gesellschaft für Informatik. ISSN 978-3-88579-706-7. Vis sammendrag

  Data lakes are an emerging paradigm for large-scale, integrated data processing within organizations. While it has been noted in earlier work that data governance is central for the successful operation of a data lake, and that privacy is a central issue in such a setting as personal information may be processed, the governance of personal information in data lakes has received only cursory attention. We propose tackling this information using identity management functions and perform a systematic gap analysis based on the FIDIS typology of identity management systems.

• Fritsch, Lothar & Gruschka, Nils (2021). Extraction and Accumulation of Identity Attributes from the Internet of Things. I Roßnagel, Heiko; Schunk, Christian & Mödersheim, Sebastian (Red.), Open Identity Summit 2021 Proceedings. Gesellschaft für Informatik. ISSN 978-3-88579-706-7. Fulltekst i vitenarkiv Vis sammendrag

  Internet of Things (IoT) devices with wireless communication provide person-relateable information usable as attributes in digital identities. By scanning and profiling these signals against location and time, identity attributes can be generated and accumulated. This article introduces the concept of harvesting identifiable information from IoT. It summarizes ongoing work that aims at assessing the amount of person-relatable attributes that can get extracted from public IoT signals. We present our experimental data collection in Oslo/Norway and discuss systematic harvesting, our preliminary results, and their implications.

• Hatamian, Majid; Wairimu, Samuel; Momen, Nurul & Fritsch, Lothar (2021). A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps. Empirical Software Engineering. ISSN 1382-3256. 26. doi: 10.1007/s10664-020-09934-4.
• Bisztray, Tamas; Gruschka, Nils; Mavroeidis, Vasileios & Fritsch, Lothar (2020). Data Protection Impact Assessment in Identity Control Management with a Focus on Biometrics. I Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, Sebastian & Hühnlein, Detlef (Red.), Open Identity Summit 2020. Gesellschaft für Informatik. ISSN 978-3-88579-699-2. s. 185–192. doi: 10.18420/ois2020_17.
• Momen, Nurul & Fritsch, Lothar (2020). App-generated digital identities extracted through Android permission-based data access - a survey of app privacy, Sicherheit 2020, Sicherheit, Schutz und Zuverlässigkeit, Konferenzband der 10. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI). Springer Berlin/Heidelberg. ISSN 978-3-88579-695-4. s. 15–28. doi: 10.18420/sicherheit2020_01. Vis sammendrag

  Smartphone apps that run on Android devices can access many types of personal information. Such information can be used to identify, profile and track the device users when mapped into digital identity attributes. This article presents a model of identifiability through access to personal data protected by the Android access control mechanism called permissions. We present an abstraction of partial identity attributes related to such personal data, and then show how apps accumulate such attributes in a longitudinal study that was carried out over several months. We found that apps' successive access to permissions accumulates such identity attributes, where different apps show different interest in such attributes.

• Momen, Nurul; Hatamian, Majid & Fritsch, Lothar (2019). Did App Privacy Improve After the GDPR? IEEE Security and Privacy. ISSN 1540-7993. doi: 10.1109/MSEC.2019.2938445.
• Fritsch, Lothar (2018). How Big Data helps SDN with data protection and privacy. I Taheri, Javid (Red.), Big Data and Software Defined Networks. The Institution of Engineering and Technology. ISSN 978-1-78561-304-3. s. 339–351. Vis sammendrag

  This chapter will discuss Big Data (BD) as a tool in software-defined networking (SDN) from the perspective of information privacy and data protection. First, it will discuss how BD and SDN are connected and expected to provide better services. Then, the chapter will describe the core of data protection and privacy requirements in Europe, followed by a discussion about the implications for BD use in SDN. The chapter will conclude with recommendations and privacy design considerations for BD in SDN.

• Schulz, Trenton & Fritsch, Lothar (2014). Accessibility and Inclusion Requirements for Future e-Identity Solutions. I Miesenberger, Klaus; Fels, Deborah; Archambault, Dominique; Peňáz, Petr & Zagler, Wolfgang (Red.), Computers Helping People with Special Needs - Proceedings of the 14th International Conference, ICCHP 2014, Paris, France, July 9-11, 2014; Bind 2. Springer Lecture Notes on Computer Science (LNCS) 8648. Springer. ISSN 978-3-319-08598-2. s. 316–323. doi: 10.1007/978-3-319-08596-8_50. Vis sammendrag

  Future e-identity services will need to be accessible for people with different types of abilities. We review current sets of accessibility guidelines and standards, current assistive technology, and current e-identity technology to determine accessibility and inclusion requirements for a future e-identity solution. For our project, we found that the area we could influence the most was the development of user interface for the client for e-identity and focused on these areas with the assumption that users would have access to inclusive cards and card readers. The requirements are divided into content and presentation, control and operation, legal requirements, testing, and help and support. We also provide possible areas for future research.

• Schulz, Trenton & Fritsch, Lothar (2013). Identifying Trust Strategies in the Internet of Things. I Schulz, Trenton (Red.), Proceedings of the User-Centered Trust in Interactive Systems Workshop: a Workshop from NordiCHI 2012. Norwegian Computing Center. ISSN 978-82-539-0538-9. s. 19–23. Vis sammendrag

  Users in the Internet of Things (IoT) use strategies to determine if they should trust a system or service. These strategies are not actively declared, but it can be useful to know which strategy is being used. We provide possible actions that users may perform when using different trust strategies and possible ways these can be captured for user studies.

• Paintsil, Ebenezer & Fritsch, Lothar (2013). Executable Model-Based Risk Analysis Method for Identity Management Systems: Using Hierarchical Colored Petri Nets. I Furnell, Steven; Lambrinoudakis, Costas & Lopez, Javier (Red.), Trust, Privacy, and Security in Digital Business. Springer. ISSN 978-3-642-40342-2. s. 48–61. doi: 10.1007/978-3-642-40343-9_5. Vis sammendrag

  Model-based risk analysis methods use graphical models to facilitate participation, risk communication and documentation and thereby improve the risk analysis process. Currently, risk analysis methods for identity management systems (IDMSs) mainly rely on time consuming and expensive manual inspections and lack graphical models. This article introduces the executable model-based risk analysis method (EM-BRAM) with the aim of addressing these challenges. The EM-BRAM employs graphical models to enhance risk analysis in IDMSs. It identifies risk contributing factors for IDMSs and uses them as inputs to a colored petri nets (CPNs) model of a targeted IDMS. It then verifies the system’s risk using CPNs’ state space analysis and queries.

• Røssvoll, Till Halbach & Fritsch, Lothar (2013). Trustworthy and Inclusive Identity Management for Applications in Social Media. I Kurosu, Masaaki (Red.), Human-Computer Interaction. Users and Contexts of Use. Springer. ISSN 978-3-642-39264-1. s. 68–77. doi: 10.1007/978-3-642-39265-8_8. Vis sammendrag

  We describe a prototype for inclusive and secure identity management regarding a bill sharing application in social media. Beginning with the principals of universal design, and involving groups of users with impairments, we designed a set of alternative authentication methods based on OpenID. This work explains the scenario and the particularities of designing a trust, security, and privacy infrastructure with a high degree of usability for diverse user groups, and which is aligned with the requirements from regulatory frameworks. The user trials show that several authentication alternatives in multiple modalities are welcomed by impaired users, but many have restrictions when it comes to payments in the context of social media.

• Røssvoll, Till Halbach & Fritsch, Lothar (2013). Reducing the User Burden of Identity Management: A Prototype Based Case Study for a Social-Media Payment Application. I Miller, Leslie (Red.), ACHI 2013, The Sixth International Conference on Advances in Computer-Human Interactions. IARIA. ISSN 978-1-61208-250-9. s. 364–370.
• Paintsil, Ebenezer & Fritsch, Lothar (2013). Executable Model-Based Risk Assessment Method for Identity Management Systems. I Fischer-Hübner, Simone; Leeuw, Elisabeth de & Mitchell, Chris (Red.), Policies and Research in Identity Management. Third IFIP WG 11.6 Working Conference, IDMAN 2013, London, UK, April 8-9, 2013. Proceedings. Springer. ISSN 978-3-642-37282-7. s. 97–99. doi: 10.1007/978-3-642-37282-7_8. Vis sammendrag

  Currently, risk assessment methods for identity management systems (IDMSs) are lacking. This makes it difficult to compare IDMSs based on how they enhance privacy and security of system stakeholders. This article proposes the executable model-based risk assessment method (EM-BRAM) with the aim of addressing this challenge. The EM-BRAM identifies risk factors inherent in IDMSs and uses them as inputs to a colored petri nets (CPNs) model of a targeted IDMS. It then estimates or verifies the system’s security and privacy risks using CPNs’ state space analysis and queries.

• Zibuschka, Jan & Fritsch, Lothar (2012). A hybrid approach for highly available & secure storage of pseudo-SSO credentials. I Jøsang, Audun & Carlsson, Bengt (Red.), Secure IT Systems: 17th Nordic Conference, NordSec 2012, Karlskrona, Sweden, October 31 – November 2, 2012. Proceedings. Springer. ISSN 978-3-642-34209-7. s. 169–183. doi: 10.1007/978-3-642-34210-3_12. Vis sammendrag

  Abstract: We present a novel approach for password/credential storage in Pseudo-SSO scenarios based on a hybrid password hashing/password syncing approach that is directly applicable to the contemporary Web. The approach supports passwords without requiring modification of the server side and thus is immediately useful; however, it may still prove useful for storing more advanced credentials in future SSO and identity management scenarios, and offers a high level of security. Keywords. Single sign-on, authentication, syncing, hashing.

• Kohlweiss, Markulf & Fritsch, Lothar (2012). Privatsphäre trotz intelligenter Zähler. digma - Zeitschrift für Datenrecht und Informationssicherheit. ISSN 1424-9944. 12(1), s. 22–26.
• Fritsch, Lothar; Groven, Arne-Kristian & Schulz, Trenton (2012). On the Internet of Things, Trust is Relative. Communications in Computer and Information Science (CCIS). ISSN 1865-0929. 277, s. 267–273. doi: 10.1007/978-3-642-31479-7_46. Vis sammendrag

  End-users on the Internet of Things (IoT) will encounter many different devices and services; they will need to decide whether or not they can trust these devices and services with their information. We identify three items of trust information that end-users will need to determine if they should trust something on the IoT. We create a taxonomy of the likely scenarios end-users will encounter on the IoT and present five trust strategies for obtaining this trust information. Upon applying these strategies to our scenarios, we find that there is no strategy that can work efficiently and effectively in every situations; end-users will need to apply the strategy that best fits their current situation. Offering multiple trust strategies in parallel and having this information transparent to end-users will ensure a sustainable IoT.

• Paintsil, Ebenezer & Fritsch, Lothar (2011). Taxonomy of Privacy and Security Risks Contributing Factors. I Fischer-Hübner, Simone; Duquenoy, Penny; Hansen, Marit; Leenes, Ronald & Zhang, Ge (Red.), Privacy and Identity Management for Life. 6th IFIP WG 9.2, 9.6/11.7, 11.4, 11.6/PrimeLife International Summer School, Helsingborg, Sweden, August 2-6, 2010, Revised Selected Papers. Springer. ISSN 9783642207686. s. 52–63.
• Paintsil, Ebenezer & Fritsch, Lothar (2011). A Taxonomy of Privacy and Security Risks Contributing Factors. IFIP Advances in Information and Communication Technology. ISSN 1868-4238. 352, s. 52–63. doi: 10.1007/978-3-642-20769-3_5.
• Paintsil, Ebenezer & Fritsch, Lothar (2011). Towards Legal Privacy Risk Assessment Automation in Social Media, INFORMATIK 2011 - Informatik schafft Communities. Gesellschaft für Informatik. ISSN 978-3-88579-286-4.
• Fritsch, Lothar (2011). Security and privacy engineering for corporate use of social community platforms, INFORMATIK 2011 - Informatik schafft Communities. Gesellschaft für Informatik. ISSN 978-3-88579-286-4.
• Scherner, Tobias & Fritsch, Lothar (2011). Technology Assurance, Digital Privacy. Springer. ISSN 978-3-642-19049-0. s. 597–608. Vis sammendrag

  This chapter documents the experiences of assurance evaluation during the early stage of a large software development project. The PRIME project researches, contracts and integrates privacy-respecting software to business environments. There exist several approaches to ensure the quality of secure software. Some of these approaches have the focus of quality assurance at a very early stage of the development process and have weaknesses to ensure the quality of this process until the product is ready to enter the market. Other approaches, like the CC, focus on inspection, or more concrete evaluation, of ready-to-market products.

• Solheim, Ivar; Dale, Øystein; Fritsch, Lothar; Røssvoll, Till Halbach; Holmqvist, Knut & Tjøstheim, Ingvar (2010). Search and navigation as retrieval strategies in large photo collections. I Doherty, Aiden R.; Gurrin, Cathal; Jones, Gareth J.F. & Smeaton, Alan F. (Red.), Proceedings of the Information Access for Personal Media Archives Workshop (IAPMA2010). Milton Keynes. ISSN 1872327869.
• Jøsang, Audun; Fritsch, Lothar & Mahler, Tobias (2010). Privacy Policy Referencing. Lecture Notes in Computer Science (LNCS). ISSN 0302-9743. 6264, s. 129–140. Vis sammendrag

  Data protection legislation was originally defined for a context where personal information is mostly stored on centralized servers with limited connectivity and openness to 3rd party access. Currently, servers are connected to the Internet, where a large amount of personal information is continuously being exchanged as part of application transactions. This is very different from the original context of data protection regulation. Even though there are rather strict data protection laws in an increasing number of countries, it is in practice rather challenging to ensure an adequate protection for personal data that is communicated on-line. The enforcement of privacy legislation and policies therefore might require a technological basis, which is integrated with adequate amendments to the legal framework. This article describes a new approach called Privacy Policy Referencing, and outlines the technical and the complementary legal framework that needs to be established to support it.

Se alle arbeider i Cristin

• Fritsch, Lothar; Hassan, Ismail & Paintsil, Ebenezer (2023). Secure IT Systems - 28th Nordic Conference, NordSec 2023, Oslo, Norway, November 16–17, 2023, Proceedings . Springer. ISBN 978-3-031-47747-8. 352 s. Vis sammendrag

  This volume contains the articles presented at the 28th Nordic Conference on Secure IT Systems (NordSec 2023). The conference was held from November 16th to November 17th, 2023, at Oslo Metropolitan University in Norway. The NordSec conference series started in 1996 with the aim of bringing together researchers and practitioners in computer security in the Nordic countries, thereby establishing a forum for discussion and cooperation between universities, industry, and computer societies. The NordSec conference series addresses a broad range of topics within IT security and privacy, and over the years it has developed into an international conference that takes place in the Nordic countries. NordSec is currently a key meeting venue for Nordic university teachers and students with research interests in information security and privacy. NordSec 2023 received 55 submissions, which were double-blind reviewed each by three members of the 64-person reviewer group. The Program Committee selected after the reviewing phase 18 of the manuscripts for publication and inclusion in the proceedings (an acceptance rate of 30 per cent).

Se alle arbeider i Cristin

• Salbu, Magnus; Fritsch, Lothar; Jøsang, Audun; Haugstveit, Geir; Holmen, Emil & Hoel, Odmund [Vis alle 7 forfattere av denne artikkelen] (2023). Kritisk til bakgrunnssjekker: Kan føre til diskriminering. [Avis]. Universitas. Vis sammendrag

  Forsker ved Oslomet er bekymret for at forskningsmiljøer svekkes av strenge bakgrunnssjekker. Søkere fra utvalgte land blir automatisk diskvalifisert, hevder UiO-professor.

• Øye, Olav-Johan & Fritsch, Lothar (2022). Slik kan du unngå dataangrep . [Fagblad]. Forskning.no. Vis sammendrag

  Internasjonale konflikter øker risikoen for angrep på datasystemer, datamaskiner og mobiltelefoner. Professor i datasikkerhet gir her råd om hvordan du kan beskytte deg.

• Ellen Synnøve, Viseth; Fritsch, Lothar & Marques, Nuno (2022). Anklager NSM for å senke terskelen for diskriminering mot russere . [Fagblad]. Teknisk Ukeblad. Vis sammendrag

  Nasjonal sikkerhetsmyndighet besøkte nylig en konferanse for kraftbransjen, og ba bransjen stille seg selv noen spørsmål, blant annet om hvor mange russere som jobber i kraftsektoren. "- Vi vet jo at det jobber russere der." Denne advarselen har fått to forskere ved OsloMet til å reagere sterkt. "- En statlig sikkerhetsmyndighet burde ikke øke redselen og senke terskelen til diskriminering på et slikt unyansert vis."

• Fritsch, Lothar & Julie, Solvin Jacobsen (2022). Hva er hacking? Viten + Snakkis podcast @ OsloMet. [Internett]. Vitenogsnakkis.oslomet.no. Vis sammendrag

  Hva er hacking? Lytt til podcasten “Hva er hacking?” i OsloMETs podast-serie Viten + Snakkis! Her har Lothar Fritsch et samtale med verten Julie om hacking, dens røtter, hvem hackere er og de ulike mål de har. Samtalen går inn på cyberkrig, digital utpressing og hva hacking er. Category: cyberkrig, cybersikkerhet, hacker Tag: cyberkrig, cyberkriminalitet, cyberkriminelle, cybersoldater, digital bedrageri, digital utpressing, hacking, informasjonssikkerhet, podcast

• Hegnar, Emma Victoria; Brustad, Emilie & Fritsch, Lothar (2022). Ekspert om hackerangrepet: - Kan ha vært en avledningsmanøver. [Avis]. Dagbladet. Vis sammendrag

  Lothar Fritsch, professor i informatikk, mener at onsdagens hackerangrep kan ha vært en avledningsmanøver for et mer alvorlig cyberangrep. Flere offentlige norske nettsteder sliet eller gikk onsdag ned etter å ha blitt utsatt for massive dataangrep. Den russiske hackergruppa Killnet antas å stå bak angrepet. Professor Lothar Fritsch ved Institutt for informatikk ved OsloMet sier til Dagbladet at hackerangrepet som ble utført mot Norge onsdag ikke var et omfattende dataangrep. Likevel mener han at angrepet kan ha vært en avledningsmanøver.

• Fritsch, Lothar (2021). Battlefield of cyber weapons - The future war of connected smart things and algorithms.
• Fritsch, Lothar (2021). Perspectives on Source Protection - Privacy risk .
• Tilman, Baumgärtel & Fritsch, Lothar (2021). Piazza virtuale ion the Internet - Interview with Lothar Fritsch, 18.03.2019. [Internett]. https://vangoghtv.hs-mainz.de/?portfolio=piazza-virtuale-onl. Vis sammendrag

  “Piazza virtuale” was a media experiment that took place at documenta IX in 1992. Van Gogh TV, a group of artists and hackers, wanted to transfer the concept of an Italian piazza – a place for casual meetings and conversations – into the media. To do this, they used all the electronic media available at the time to involve the television audience, who could watch the program daily on 3Sat, in what was happening on the screen. Usenet was the most important discussion platform on the Internet in the 1990s. Before the emergence of the World Wide Web, people discussed and exchanged ideas here in thousands of forums organized by topic. The newsgroup’s name, de.soc.kultur, signals what it’s all about: it’s a German-language group (de) in which social issues (soc = society) and, in this case, cultural topics, are discussed. On June 22, 1992, a week after “Piazza virtuale” began broadcasting, Lothar Fritsch, then a computer science student at Saarland University, wrote a detailed review of the program. Almost thirty years later, we interviewed him, who now teaches computer science at Oslo Metropolitan University in Oslo, about his memories of the program.

• Zibuschka, Jan & Fritsch, Lothar (2021). Mapping Identity Management in Data Lakes. Vis sammendrag

  Data lakes are an emerging paradigm for large-scale, integrated data processing within organizations. While it has been noted in earlier work that data governance is central for the successful operation of a data lake, and that privacy is a central issue in such a setting as personal information may be processed, the governance of personal information in data lakes has received only cursory attention. We propose tackling this information using identity management functions and perform a systematic gap analysis based on the FIDIS typology of identity management systems.

• Fritsch, Lothar; Tjøstheim, Ingvar & Kitkowska, Agnieszka (2018). I’m Not That Old Yet! The Elderly and Us in HCI and Assistive Technology.
• Tjøstheim, Ingvar & Fritsch, Lothar (2018). Similar Information Privacy Behavior in 60-65s vs. 50-59ers - Findings From A European Survey on The Elderly.
• Fritsch, Lothar (2015). Future identity ecosystems and eID provisioning -The EU project FutureID .
• Fritsch, Lothar (2015). Information privacy: Technology, principles, and challenges .
• Fritsch, Lothar (2014). Management of Privacy Risks in Information Systems. Vis sammendrag

  Information Privacy & Privacy Enhancing Technologies (PETs) - What tools for anonymity & privacy are there? Information Privacy from a Management Perspective - How can IT security managers handle privacy? Challenges for Security and Risk Managers - Difficulties in application & open issues.

• Fritsch, Lothar (2014). Big Data - Implikasjoner for bedriftens strategi og sikkerhet. Vis sammendrag

  Big Data som strategisk satsing i bedriften krever spesiell fokus på datasikkerhet. Forelesningen definerer Big Data og dets implikasjoner for informasjonssikkerhet og sikkerhetsledelse. Sikkerheten diskuteres fra angriperens og forsvarerens perspektiv. Foredraget avrunder med praksisrettete anbefalinger for informasjonssikkerhet og personvern i Big-Data-applikasjoner.

• Fritsch, Lothar (2014). Innovasjoner innen trygge og personvernsøkende elektroniske identiteter fra forskning - Research innovations in information security and privacy in electronic identity management. Vis sammendrag

  Foredrag om risikoanalyse og løsninger for innebygget personvern i elektroniske identitetsforvaltningssystemer. Agenda * Kort om e-ID * Dagens e-ID-økosystemer * Personvernsutfordringer med e-ID * Løsninger for e-ID med innebygget personvern * Utfordringer med bruk av e-ID

• Fritsch, Lothar (2014). E-ID, Sosiale Medier,industristandarder- nytteverdi og risiko. Innføring i populære e-ID-systemer. Vis sammendrag

  Innhold: Sosiale Medier E-ID – kort definisjon og egenskaper fra en forsker Globale e-ID systemer Sosiale medier som facebook, Google, og andre OpenID-løsninger Industriallianser Kantara, Fido Alliance, OASIS Muligheter og risiko Spesielt om personvern

• Fritsch, Lothar (2014). The metered self vs. managed healthcare IoT - a reality check. Vis sammendrag

  Are managed sensor networkes in healthcare threatened by the quantified self wave? Quantified self – a new concept? Just a new form of shared social media narcissism? A form of identity reassurace in the times of lost traditions? «Dataism» or «Transhumanism» or «datasexuality»? Self-metering equipment is used in ad-hoc ways, often with little (medical) scientific verification of the claimed benefits Those technologies are very appealing to users due to the perceived empowerment (see E.Rogers, Diffusion of Innovations) Self-metering as of today puts all the burden of security and privacy evaluation on the end user. Most systems operate outside the European regualtion frameworks for e-health or data protection Some applications are beneficial to users already Most health apps are used for a few weeks only. This presentation analyzes self-metering and the Internet of Things for e-health from three perspectives: the user's, the health professional's and the privacy researcher's.

• Fritsch, Lothar (2014). Helsedata, e-helse, IKT og personvern - hvor oppstår og lagres det helsedata? Vis sammendrag

  E-helse: Framtid med intens datautveksling ►Helsearbeid produserer mye digital data: pasientdata, prosessdata, fakturadata, laboranalysedata, diagnostikk, mobile sensorer. ▪Data lagres, leses, deles, «leies ut» og kombineres. ▪Adgang, deling, arkivering baseres på datakommunikasjon, dvs. data deles med andre datasystemer og deres brukere. ►Med deling av data kommer det nye aktører inn i helsemarket, både i offentlig helsesektor og privat. ►Teknologi og kunnskap muliggjør nye scenarier i e-helse. Presentasjonen omhandler: 1. E-helse: Framtid med intens datautveksling 2. Data innenfor helsesystemet 3. Data utenfor helsesystemet 4. Data på grenseflaten 5. Tiltak for bedre personvern

• Grønli, Kristen Straumsheim; Hellman, Riitta; Fuglerud, Kristin Skeide & Fritsch, Lothar (2014). Snart kan passordene bestå av lyder, bilder og mønster - Norske forskere vil gjøre nett-tjenester tilgjengelig for alle. [Internett]. Teknisk Ukeblad. Vis sammendrag

  Mekanismene vi bruker til innlogging i dag gjør livet på nett krevende. Mange passord å holde styr på er en daglig utfordring. Folk forenkler gjerne ved å bruke det samme over alt, eller ved å skrive ned. Begge deler går ut over sikkerheten. Problemet vokser i takt med økningen i antall tjenester som krever innlogging med passord. For mennesker med hukommelsesproblemer eller lese- og skrivevansker er det enda verre. For ikke å snakke om for de som sliter med synet. Noen løsninger gjør det helt umulig for personer med funksjonshemminger å logge seg på.

• Grønli, Kristin Straumsheim; Fritsch, Lothar; Hellman, Riitta & Fuglerud, Kristin Skeide (2014). Utestengt fra nettjenester. [Internett]. Forsnkningsrådet.no. Vis sammendrag

  Nesten halvparten av alle kundehenvendelser til Altinn handler om trøbbel med innlogging. Hvem skal sørge for at tjenester på nettet blir tilgjengelige for alle?

• Fritsch, Lothar; Grønli, Kristen Straumsheim & Snekkenes, Einar (2014). Identifisering uten hamstring av persondata. [Internett]. Forskningsrådet.no. Vis sammendrag

  Mange aktører jakter informasjon om oss på nettet. Vi har få verktøy i vårt forsvar. Hvordan kan datasystemer håndtere elektroniske identiteter og samtidig ivareta personvernet?

• Fritsch, Lothar; Grønli, Christin Straumsheim & Snekkenes, Einar (2014). Vi gir for mye info om oss selv på nett. [Internett]. Forskning.no. Vis sammendrag

  Mange aktører jakter informasjon om oss på nettet. Ofte gir vi mer enn de trenger. Forskere finner nå datasystemer som tar vare på personvernet vårt.

• Fritsch, Lothar (2013). The Clean Privacy Ecosystem of the Future Internet. Future Internet. ISSN 1999-5903. 5(1), s. 34–45. doi: 10.3390/fi5010034. Vis sammendrag

  This article speculates on the future of privacy and electronic identities on the Internet. Based on a short review of security models and the development of privacy-enhancing technology, privacy and electronic identities will be discussed as parts of a larger context—an ecosystem of personal information and electronic identities. The article argues for an ecosystem view of personal information and electronic identities, as both personal information and identity information are basic required input for many applications. Therefore, for both application owners and users, a functioning ecosystem of personal information and electronic identification is important. For the future of the Internet, high-quality information and controlled circulation of such information is therefore argued as decisive for the value of future Internet applications.

• Schulz, Trenton & Fritsch, Lothar (2012). Identifying Trust Strategies in the Internet of Things.
• Fritsch, Lothar (2012). Scientific Writing and Publishing - An introduction for new PhD students at NR. A course on writing guidlines, publication channels, and program committees as part of your publication strategy. Vis sammendrag

  Contents ► PhD learning goals ► A short definition of research in Computer Science ► Scientific Writing ► Publishing Articles

• Roßnagel, Heiko; Camenisch, Jan; Fritsch, Lothar; Houdeau, Detlef; Hühnlein, Detlef & Lehmann, Anja [Vis alle 8 forfattere av denne artikkelen] (2012). FutureID – Shaping the Future of Electronic Identity. Vis sammendrag

  Abstract. The FutureID project builds a comprehensive, flexible, privacy-aware and ubiquitously usable identity management infrastructure for Europe, which integrates existing eID technology and trust infrastructures, emerging federated identity management services and modern credential technologies to provide a user-centric system for the trustworthy and accountable management of identity claims. The FutureID infrastructure will provide great benefits to all stakeholders involved in the eID value chain. Users will benefit from the availability of a ubiquitously usable open source eID client that is capable of running on arbitrary desktop PCs, tablets and modern smart phones. FutureID will allow application and service providers to easily integrate their existing services with the FutureID infrastructure, providing them with the benefits from the strong security offered by eIDs without requiring them to make substantial investments. This will enable service providers to offer this technology to users as an alternative to username/password based systems, providing them with a choice for a more trustworthy, usable and innovative technology. For existing and emerging trust service providers and card issuers FutureID will provide an integrative framework, which eases using their authentication and signature related products across Europe and beyond. To demonstrate the applicability of the developed technologies and the feasibility of the overall approach FutureID will develop two pilot applications and is open for additional application services who want to use the innovative FutureID technology. This paper provides a short overview of the FutureID project. Keywords. Identity Management, eID, Identity Broker, Open Source Client

• Fritsch, Lothar (2012). Trust and Privacy in the Internet of Things in the User’s View - Keynote talk on "Future Trends and Challenges" track.
• Fritsch, Lothar (2012). Undesirable side effects: From NFC to IoT.
• Fritsch, Lothar (2011). Identifisering, Autentisering, Autorisering - Identifisering, Autentisering, Autorisering.
• Fritsch, Lothar (2011). Motbør for mobilbillett - Intervjuet av Bjørn Egil Halvorsen. Ukjent.
• Hagalisletto, Anders Moen & Fritsch, Lothar (2011). Mobilnett-kollapsen: Vi må leve med risikoen (kronikk). Ukjent.
• Fritsch, Lothar (2011). Management of Privacy Risks in Information Systems.
• Fritsch, Lothar (2011). Privacy and Regulatory Requirements.
• Fritsch, Lothar (2011). Sikkerhet og Personvern i Sosiale Medier - Utfordringer i bedriftens IKT-strategi.
• Fritsch, Lothar (2011). Information Security in Social Media - Challenges for Corporate IT strategy.
• Hagalisletto, Anders Moen & Fritsch, Lothar (2011). Mobilnett-kollapsen: Vi må leve med risikoen. Forskning.no. ISSN 1891-635X.
• Fritsch, Lothar (2011). Economics of Cybersecurity - Economic perspectives on Information Security.
• Fritsch, Lothar (2011). Motbør for mobilbillett. [Avis]. Aften.
• Fritsch, Lothar (2011). Eliteskrekk. [Avis]. Dagens Næringsliv.
• Fritsch, Lothar (2011). Identifisering, Autentisering, Autorisering - forskjeller og implikasjoner i e-ID-anvendelser.
• Skomedal, Åsmund & Fritsch, Lothar (2010). Høringsuttalelse Cybersikkerhet. Ukjent.
• Fritsch, Lothar (2010). Nettverksbygging og tverrfaglighet med EU ”Network of Excellence”.
• Fritsch, Lothar (2010). Location Privacy by Design - Technology & Business Incentives.
• Fritsch, Lothar (2010). Støtte til forsking og innovasjon i næringslivet: Støtteordninger innenfor IKT i Norge og EU.
• Fritsch, Lothar (2010). Technology and Methods for Information Privacy.
• Fritsch, Lothar (2010). PETweb II – Privacy in Identity Management, presentation as part of the \Identity Management throughout life - solutions, trends, side effects\" networking session on Sep. 29, 2010".
• Fritsch, Lothar (2010). Sosiale Medier, e-IDer og Personvern - Innføring i begrepene og tema til e-Me oppstartmøte.
• Fritsch, Lothar (2010). Business Security and Privacy Risk of RFID.
• Fritsch, Lothar; Toresson, Ludwig; Shaker, Maher & Olars, Sebastian (2020). Privacy impact self-assessment app. Karlstads Universitet. Vis sammendrag

  The popularity of the Android OS has led to the development of millions of applications. The assumption of the majority of the Android user base is that these applications are trustworthy and that the Android system does enough to protect them from the untrustworthy applications. This assumption is however false as the Android system does allow trustworthy applications to track users in different ways and does nothing to detect and remove untrustworthy applications. This project aims at informing users about which of their installed applications is tracking them and all of the negative effects it can have on a persona that is similar to them. This is done through an application that uses a pre-filled log containing the data collection of different applications to match an application with negative effects on a specific predefined persona.

• Tjøstheim, Ingvar; Leister, Wolfgang; Mork, Heidi Camilla & Fritsch, Lothar (2016). Research Directions for Studying Users’ Privacy Awareness. Norsk Regnesentral. Vis sammendrag

  In this document, we present a set of research questions on how to evoke reflection about sharing of personal data and privacy. We look into analytical approaches to understand the phenomenon of people’s privacy behaviour and into synthetical approaches to let the user practise privacy skills to increase awareness using visualisation and simulation technologies in scenarios of relevance to the user. We also review potential risks to security, privacy, anonymity, and other assets and the use of information in social media, for advertisement and commercial activities.

• Fritsch, Lothar & Abie, Habtamu (2013). 2nd PETweb II & ASSET joint PhD Seminar. Norsk Regnesentral. Vis sammendrag

  The 2nd joint PhD seminar of the PETweb II and the ASSET projects, which is the 4th PhD seminar in the PETweb II project, presented the ASSET PhD proposals, the near‐final results of the PETweb II PhD students, and will perform education in scientific work for all participants that is not offered by the cooperation academic institution’s PhD courses.

• Schulz, Trenton; Fritsch, Lothar; Schlehahn, Eva; Hansen, Marit & Zwingelberg, Harald (2013). FutureID Deliverable D22.7 Accessibility and Inclusion Requirements. Norsk Regnesentral. Vis sammendrag

  This document defines the accessibility and inclusion requirements to be taken into account when developing the different prototypes in the FutureID project. It also serves as a back- ground document in informing project partners about different aspects of accessibility when dealing with ICT. This includes looking at definitions, different types of users, assistive tech- nology, and other existing work in the field. Legal requirements, including storing of personal information for making systems accessible, are also covered. The document includes the accessibility and inclusion requirements for both developing and testing the client.

• Fritsch, Lothar & Snekkenes, Einar (2013). Alternative Approaches to Privacy Risk Assessment: Summary of the PETweb II VERDIKT project sponsored by the Research Council of Norway (2009-2013). Norsk Regnesentral. ISSN 978-82-539-0539-6. 1(1029). Vis sammendrag

  The PETweb II project has turned out to be a truly multidisciplinary project. Although the project participants have had most of their training in either law or computer science, some of the most significant results from the project is a consequence of combining ideas from economics, psychology, decision science, journalism and computer science. We believe that this project is an excellent example of how a multidisciplinary perspective can benefit research. From economics, we have imported ideas regarding utility theory. Psychology has contributed with theories of incentives and motivation. Decision science has contributed with multi- attribute utility theory. The concept of framing, belonging to the field of journalism/rhetoric has provided inspiration to explore a new way of framing risk. Computer science has offered inspiration on how the risk management and analysis concepts can be modelled and how the ideas can be implemented as a software tool. Classical risk frame focuses on incident expected impact, i.e. a combination (product) of consequence and likelihood, possibly conditioned on knowledge. PETweb II developed two alternative approaches to risk analysis – the EM-BRAM and the CIRA method. EM-BRAM starts with a model of technical risk sources in identity management technology. From there, it aims at a modelling approach of a given system into an executable model that is used to detect the presence of the risk factors in a concrete system. The risk framing proposed in the CIRA method frames risk as the underlying cause of the incident. In this frame, risk corresponds to misaligned incentives. A preliminary – bleeding edge- alpha version of a CIRA tool was developed right at the end of the project. We intend to explore the possibility of deploying CIRA and associated software tools into the data cloud. It should be kept in mind that CIRA is still in its early days, and much more research need to be completed to enhance and validate the method. However, we have already established a new project to further develop CIRA. In addition, we are planning several new projects to further explore research into a multidisciplinary perspective on risk analysis.

• Paintsil, Ebenezer; Fritsch, Lothar & Snekkenes, Einar (2013). Privacy and Security Risks Analysis of Identity Management Systems. Gjøvik University College. ISSN 978-82-93269-23-6. 1(1-2013). Vis sammendrag

  Denne avhandlingen lager en risikomodell og modellbasert risikoanalysemetode for privacyanalyse og sikkerhetsrisikoanalyse av identity management-systemer (IDMS-er), med det formål å redusere kostnader og gi vitenskapelig støtte for valg av identity managementtilnærminger. Modellbaserte risikoanalysemetoder kan hjelpe systemeiere med å forstå en risikoanalyseprosess gjennom metodens effektive bruk av grafiske modeller for å understøtte deltakelse, kommunikasjon av risiko og dokumentasjon. Disse grafiske risikomodellene illustrerer hva som kan gå galt i systemet og hjelper med estimering av sikkerhetsrisiko. Dagens metoder for modellbasert risikoanalyse støtter generell sikkerhetsrisikoanalyse, men tar ikke for seg privacy i nevneverdig grad. Videre, på grunn av manglende data om tidligere hendelser er disse metodene avhengige av subjektive intuisjoner fra de som analyserer risiko eller fra systemeiere eller de er avhengig av komplekse matematiske valideringsteknikker for å bestemme risiko for et system. Subjektive intuisjoner medfører høy usikkerhet i risikoanalyse. Videre er komplekse matematiske teknikker for risikomodellering og -validering kostbare, vanskelige å lære og kan vanskeliggjøre kommunikasjon av risiko mellom systemeiere. Denne avhandlingen utvikler en balansert tilnærming til risikoanalyse der systemkarakteristikker og verktøy som gjemmer kompleks matematikk brukes for å analysere privacy- og sikkerhetsrisiko i IDMS-er. Den gir ny kunnskap om hvordan lage risikomodeller for IDMS-er fra karakteristisk informasjonsflyt i systemene. Videre lager den en utførbar modellbasert risikoanalysemetode (EM-BRAM) for å forbedre kommunikasjon, automatisering, deltakelse og dokumentasjon i risikoanalyse av i IDMS-er. For å analysere privacy- og sikkerhetsrisiko gjør EM-BRAM bruk av utførbare modeller som er relativt enkle å forstå. EM-BRAM gjør bruk av systemoppførsel og -karakteristikker i stedet for data om tidligere hendelser eller intuisjonen til de som analyserer risiko. Dette betyr at metoden kan redusere subjektivitet og usikkerhet i risikoanalyse av i IDMS-er.

• Fritsch, Lothar (2012). Privacy visualization requirements in the Internet of Things - A uTRUSTit FP7 ICT project note, 7.9.2012. Norsk Regnesentral. Vis sammendrag

  The Internet of Things (IoT) is a complex mesh‐up of devices, infrastructures and services. When connecting to a particular peer, users expose themselves to these infrastructures. This report reviews techniques and knowledge concerning the communication of status information about privacy and information security and trustworthiness to users of the IoT. Particular challenges are the complexity and instability of the infrastructures, the miniature user interfaces of smart things, and the arbitrariness and traceability of connections and device federations.

• Fritsch, Lothar (2012). Documentation of the 3rd PETweb II PhD student workshop - Joint PhD student workshop of the VERDIKT PETweb II and ASSET projects in Gjøvik, 13.9.2012. Norsk Regnesentral.
• Fritsch, Lothar (2012). Documentation of the 2nd PETweb II PhD student workshop - 2-day PhD student workshop of the VERDIKT PETweb II projects in Rømskog, 19.3.2012. Norsk Regnesentral.
• Fritsch, Lothar (2011). Utprøving av Buypass e-ID og Altinn.no - Resultat av smartkort-studie i e-Me prosjekt. Norsk Regnesentral.
• Fritsch, Lothar (2011). Social Media, e-ID and Privacy - Background for the e-Me project. Norsk Regnesentral.
• Fritsch, Lothar (2011). Social Media, e-ID and Privacy - Background for the e-Me project. Norsk Regnesentral.
• Fritsch, Lothar (2011). Utprøving av Buypass e-ID og Altinn.no - Resultat av smartkort-studie i e-Me prosjekt. Norsk Regnesentral.
• Schulz, Trenton; Fritsch, Lothar; Solheim, Ivar; Tjøstheim, Ingvar; Petró, Dániel & Arfwedson, Henrik [Vis alle 7 forfattere av denne artikkelen] (2011). uTRUSTit Deliverable D2.2 Definition of User Scenarios. Norwegian Computing Center. Vis sammendrag

  We present scenarios in the three domains of smart home, smart office, and e-voting. The smart home consists of five scenarios; the smart office includes nine scenarios; e-voting has five scenarios. These scenarios cover a variety of situations that people may encounter in their everyday life and help to illustrate the trust issues that can show up when working with the Internet of Things (IoT). The scenarios form a foundation for many of the tasks and activities in the other work packages since the scenarios capture the functionality that we will work on. We also include a list of potential devices that may be used to realize these scenarios.

• Fritsch, Lothar & Fuglerud, Kristin Skeide (2010). Time and Usability as Upper Boundary in Friend and Family Security and Privacy. Norsk Regnesentral.
• Fritsch, Lothar & Paintsil, Ebenezer (2010). 1st PhD retreat documentation - Minutes of the PETweb II PhD workshop, April 15-16, 2010. Norsk Regnesentral.

Se alle arbeider i Cristin