Εκπαίδευση - Σπουδές

  • Διδακτορικό Δίπλωμα στα Πληροφοριακά Συστήματα, Οικονομικό Πανεπιστήμιο Αθηνων
  • Πτυχίο Πληροφορικής, Οικονομικό Πανεπιστήμιο Αθηνών

Ερευνητικά Ενδιαφέροντα

  • Πληροφοριακά Συστήματα
  • Διοίκηση Ασφάλειας Πληροφοριακών Συστημάτων
  • Ασφάλεια Πληροφοριακών και Επικοινωνιακών Συστημάτων

Διδασκαλία

  • Ανάλυση και Σχεδιασμός Πληροφοριακών Συστημάτων
  • Ασφάλεια Πληροφοριακών και Επικοινωνιακών Συστημάτων (ΠΜΣ)

Ώρες γραφείου: Τρίτη 11:00 - 14:00

Επιτροπές - Διοικητικό έργο

  • Μέλος της Επιτροπής Σπουδών του Τμήματος
  • Μέλος της Επιτροπής Πληροφορικής του Παν. Αιγαίου
  • Μέλος της Επιτροπής Εκπαιδευτικών Εργαστηρίων του Τμήματος
  • Διευθυντής Εργαστηρίου Πληροφοριακών Συστημάτων (2009-2014)
  • Μέλος Συντονιστικής Επιτροπής Μεταπτυχιακών Σπουδών (2007-2014)
  • Μέλος της Συγκλήτου (Εκπρόσωπος Επίκ. Καθηγ., 2010-2011)
  • Αναπληρωματικό μέλος της ΟμΕΑ του Τμήματος (2007 - 2011)
  • Ακαδημαϊκός Σύμβουλος στο ΔΟΑΤΑΠ (2010 - 2011)
  • Μέλος του Γνωμοδοτικού Τεχνικού Συμβουλίου της Υπηρεσίας Ανάπτυξης Πληροφορικής του ΥπΕΣ (2010-2011)

Δημοσιεύσεις σε Διεθνή Περιοδικά (Journals)


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, Identifying the values associated with users’ behavior towards anonymity tools through means-end analysis, Computers in Human Behavior Reports, Vol. 2C, No. 100034, 2020, Elsevier, http://www.sciencedirect.com/scienc...
S. Kokolakis, Privacy attitudes and privacy behavior: A review of current research on the privacy paradox phenomenon, Computers & Security, Vol. 64, pp. 122-134, 2017, Elsevier, https://www.researchgate.net/profil..., indexed in SCI-E, IF = 1.035
 

Abstract
Do people really care about their privacy? Surveys show that privacy is a primary concern for citizens in the digital age. On the other hand, individuals reveal personal information for relatively small rewards, often just for drawing the attention of peers in an online social network. This inconsistency of privacy attitudes and privacy behaviour is often referred to as the “privacy paradox”. In this paper, we present the results of a review of research literature on the privacy paradox. We analyse studies that provide evidence of a paradoxical dichotomy between attitudes and behaviour and studies that challenge the existence of such a phenomenon. The diverse research results are explained by the diversity in research methods, the different contexts and the different conceptualisations of the privacy paradox. We also present several interpretations of the privacy paradox, stemming from social theory, psychology, behavioural economics and, in one case, from quantum theory. We conclude that current research has improved our understanding of the privacy paradox phenomenon. It is, however, a complex phenomenon that requires extensive further research. Thus, we call for synthetic studies to be based on comprehensive theoretical models that take into account the diversity of personal information and the diversity of privacy concerns. We suggest that future studies should use evidence of actual behaviour rather than self-reported behaviour.

A. Tsohou, M. Karyda, S. Kokolakis, Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs, Computers & Security, Vol. 52, pp. 128–141, 2015, Elsevier, https://www.researchgate.net/public..., indexed in SCI-E, IF = 1.17
 

Abstract
Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behaviour. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. Τhis paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behaviour. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behaviour. Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Available from: https://www.researchgate.net/publication/275898027_Analyzing_the_role_of_Cognitive_and_Cultural_Biases_in_the_Internalization_of_Information_Security_Policies_Recommendations_for_Information_Security_Awareness_Programs [accessed May 13, 2015].

A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Managing the Introduction of Information Security Awareness Programs in Organisations, European Journal of Information Systems, Vol. 24, No. 1, pp. 38-58, 2015, Palgrave , https://www.researchgate.net/public..., indexed in SCI-E, IF = 2.213
 

Abstract
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.

K. Anastasopoulou, S. Kokolakis, Exploring Citizens’ Intention to Use e-Government Services: The Role of Cultural Bias, International Journal of Electronic Governance, Vol. 6, No. 1, pp. 3-19, 2013, Inderscience, http://www.inderscience.com/info/in...
 

Abstract
E-government initiatives often face citizens' mistrust, particularly when they involve the collection and processing of personal data. In this paper, we present the results of an empirical study regarding citizens' intention to use a new service offered by the Greek Ministry of Finance, the so-called 'tax card'. Tax card is used to collect information about everyday purchases and aims to diminish tax avoidance. We have examined the strong influence of cultural bias on the formulation of citizens' intention to use and concluded that different cultural types of people should be addressed in different ways in order to achieve broad adoption of e-government services.

A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Analyzing Trajectories of Information Security Awareness, Information Technology & People, Vol. 25, No. 3, 2012, Emerald, http://www.emeraldinsight.com/journ..., indexed in SCI-E, IF = 0.767
 

Abstract
Purpose – Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program. Design/methodology/approach – Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings. Findings – The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events. Practical implications – The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it. Originality/value – This study is one of the first to examine information security awareness as a managerial and socio-technical process within an organizational context.

A. Tsohou, C. Lambrinoudakis, S. Kokolakis, S. Gritzalis, The Importance of Context-Dependent Privacy Requirements and Perceptions to the Design of Privacy-Aware Systems, UPGRADE, Vol. 11, No. 1, pp. 32-37, 2010, CEPIS, http://www.cepis.org/files/cepisupg...
 

Abstract
The issue of information privacy protection is ensured nowadays by European and national legislation. However, it is not possible to protect information system user privacy adequately without establishing privacy requirements and employing an appropriate privacy assessment process that can identify the required privacy level and the possible countermeasures for achieving it. In this paper we draw upon security management tasks in order to highlight the gaps that need to be explored regarding privacy management, so as to be able to justifiably select the privacy enhancing technologies that fit a system’s privacy requirements.

A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Aligning Security Awareness with Information Systems Security Management, Journal of Information Systems Security, Vol. 6, No. 1, pp. 36-64, 2010, http://www.jissec.org/Contents/V6/N...
 

Abstract
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.

A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, A Security Standards’ Framework to facilitate Best Practices’ Awareness and Conformity, Information Management & Computer Security, Vol. 18, No. 5, pp. 350-365, 2010, Emerald, http://www.emeraldinsight.com/journ...
 

Abstract
Purpose – Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that still the majority of organizations does not know the dominant security standards or does not fully implement them. The aim of this paper is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards, and thus, contribute to their adoption. Design/methodology/approach – The paper adopts a conceptual approach and results in a classification framework for categorizing available information security standards. The classification framework is built in four layers of abstraction, where the initial layer is founded in ISO/IEC 27001:2005 information security management system. Findings – The paper presents a framework for conceptualizing, categorizing and interconnecting available information security standards dynamically. Research limitations/implications – The completeness of the information provided in the paper relies on the pace of standards’ publications; thus the information security standards that have been classified in this paper need to be updated when new standards are published. However, the proposed framework can be utilized for this constant effort. Practical implications – Information security practitioners can benefit by the proposed framework for available security standards and effectively invoke the relevant standard each time. Guidelines for utilizing the proposed framework are presented through a case study. Originality/value – Although the practices proposed are not innovative by themselves, the originality of this work lies on the best practices’ linkage into a coherent framework that can facilitate the standards diffusion and systematic adoption.

M. Karyda, S. Gritzalis, J. H. Park, S. Kokolakis, Privacy and Fair Information Practices in Ubiquitous Environments: Research Challenges and Future Directions, Internet Research, Vol. 19, No. 2, pp. 194-208, 2009, Emerald , http://www.emeraldinsight.com/journ..., indexed in SCI-E, IF = 0.844
 

Abstract
Purpose – This paper aims to contribute to the ongoing discourse about the nature of privacy and its role in ubiquitous environments and provide insights for future research. Design/methodology/approach – The paper analyses the privacy implications of particular characteristics of ubiquitous applications and discusses the fundamental principles and information practices used in digital environments for protecting individuals’ private data. Findings – A significant trend towards shifting privacy protection responsibility from government to the individuals is identified. Also, specific directions for future research are provided with a focus on interdisciplinary research. Research limitations/implications – This paper identifies key research issues and provides directions for future research. Originality/value – This study contributes by identifying major challenges that should be addressed, so that a set of “fair information principles” can be applied in the context of ubiquitous environments. It also discusses the limitations of these principles and provides recommendations for future research.

A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Investigating information security awareness: research and practice gaps, Information Security Journal: A Global Perspective, Vol. 17, No. 5&6, pp. 207–227, 2008, Taylor & Francis, http://www.tandfonline.com/doi/pdf/...
 

Abstract
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.

A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Process-Variance Models in Information Security Awareness Research, Information Management and Computer Security, Vol. 16, No. 3, pp. 271 – 287, 2008, Emerald , http://www.emeraldinsight.com/journ...
 

Abstract
Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes. Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology. Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness. Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications. Practical implications – The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ. Originality/value – The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.

S. Dritsas, L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Kokolakis, C. Lambrinoudakis, S. K. Katsikas, A knowledge-based approach to security requirements for e-health applications, The electronic Journal for E-Commerce Tools & Applications (eJETA), Special Issue on Emerging Security Paradigms in the Knowledge Era, 2006, http://www.ejeta.org/specialOct06-i...
 

Abstract
This paper introduces a knowledge-based approach for the security analysis and design of e-health applications. Following this approach, knowledge acquired through the process of developing secure e-health applications is represented in the form of security patterns; thus, it is made available to future developers. In this paper we present a set of security patterns that was developed based on the aforementioned approach. Security requirements for this set of patterns have been identified following a security and privacy analysis. The security patterns have been designed on the basis of a security ontology that was developed for this purpose. The ontology allows all concepts of importance and their relationships to be identified. The paper also describes the validation of the developed ontology, and compares the approach employed to other relevant methods in the domain of secure application development.

A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Formulating Information Systems Risk Management Strategies through Cultural Theory, Information Management and Computer Security, Vol. 14, No. 3, pp. 198-217, 2006, Emerald, http://www.emeraldinsight.com/journ...
 

Abstract
Purpose – The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders’ perception of risk and its effect on information system (IS) risk management. Design/methodology/approach – Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions. Findings – A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have. Research limitations/implications – The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS). Originality/value – IS security management overlooks stakeholders’ risk perception; for example,there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.

M. Theoharidou, S. Kokolakis, M. Karyda, E. Kiountouzis, The insider threat to Information Systems and the effectiveness of ISO 17799, Computers and Security Journal, Vol. 24, No. 6, pp. 472-484, 2005, Elsevier , http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.430 (5-year)
 

Abstract
Insider threat is widely recognised as an issue of utmost importance for IS security management. In this paper, we investigate the approach followed by ISO17799, the dominant standard in IS security management, in addressing this type of threat. We unfold the criminology theory that has designated the measures against insider misuse suggested by the standard, i.e. the General Deterrence Theory, and explore the possible enhancements to the standard that could result from the study of more recent criminology theories. The paper concludes with supporting the argument for a multiparadigm and multidisciplinary approach towards IS security management and insider threat mitigation.

M. Karyda, E. Kiountouzis, S. Kokolakis, Information Systems Security: A Contextual Perspective, Computers and Security Journal, Vol. 24, No. 3, pp. 246-260, 2005, Elsevier , http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.430 (5-year)
 

Abstract
The protection of information systems is a major problem faced by organisations. The application of a security policy is considered essential for managing the security of information systems. Implementing a successful security policy in an organisation, however, is not a straightforward task and depends on many factors. This paper explores the processes of formulating, implementing and adopting a security policy in two different organisations. A theoretical framework based on the theory of contextualism is proposed and applied in the analysis of these cases. The contextual perspective employed in this paper illuminates the dynamic nature of the application of security policies and brings forth contextual factors that affect their successful adoption.

P. Belsis, E. Kiountouzis, S. Kokolakis, Information systems security from a knowledge management perspective, Information Management and Computer Security, Vol. 13, No. 3, pp. 189-202, 2005, Emerald, http://www.emeraldinsight.com/journ...
 

Abstract
Purpose – Information systems security management is a knowledge-intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system. Design/methodology/approach – The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed. Findings – Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management. Originality/value – In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security-related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security-focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set.

S. Kokolakis, C. Lambrinoudakis, ICT security standards for healthcare applications, UPGRADE, Special Issue: Standardization for ICT Security, Vol. 6, No. 4, 2005, CEPIS , http://www.cepis.org/upgrade/index....
 

Abstract
Healthcare has always been a favouring area for the application of Information and Communication Technologies (ICT) and healthcare organisations were among the first to incorporate information systems in their operation. Following the trend, Health Information Systems (HIS) have followed an evolutionary course leading to a new generation of e-Health systems. Personalization of service, ubiquitous information management, integration of intelligent and communicating devices, are only a few of the new features that HIS are expected to embed in the near future. Moreover, HIS store and process information, which is characterised as highly sensitive. Therefore, privacy and security have been acknowledged as high-priority issues and critical factors for the adoption and effective integration of ICT in the healthcare sector. Furthermore, when considering a shared care environment with the participation of many independent healthcare organisations and the requirement for exchanging electronic healthcare records, the situation becomes much more complex since the implementation of global security policy may turn out to be an over ambitious task. This paper presents some of the most important international and European Health Informatics Standards, highlighting their contribution towards Health Information Systems’ interoperability, fulfilment of safety, security and legal requirements and market efficiency.

E. Loukis, S. Kokolakis, An architecture for a flexible public sector collaborative environment, eJETA, Vol. 1, No. 3, 2004
 

Abstract
e-Government today is focused on the electronic delivery of existing public services (e.g. social services, etc.) and, in general, on offering to citizens/enterprises the capability to transact electronically with Public Administration (e.g. declarations, applications, etc.), mainly over the Internet. In this sense modern e-Government, only to a small extent, exploits the huge capabilities of the Information and Communication Technologies for supporting and transforming the whole lifecycle of public policies, programmes and services design, production, delivery and evaluation. This paper examines the exploitation of Computer Supported Collaborative Work (CSCW) methodologies and technologies for supporting and transforming G2G collaboration concerning interorganizational processes, public policies/programmes/services design, monitoring and evaluation, as well as decision-making for difficult and complex social problems. An architecture of a flexible Public Sector Collaborative Environment for the above purposes is described, which has been developed, based on a detailed user requirements analysis, as part of the ICTE-PAN (Methodologies and Tools for Building Intelligent Collaboration and Transaction Environments in Public Administration Networks)Project of the European Union IST (Information Society Technologies) Programme. In order to provide the required flexibility for supporting the huge variety of G2G collaboration typologies of modern Public Administration, this Collaborative Environment should consist of a set of adaptable and customisable modules. In order to support the users-centred and participative customisation of this Collaborative Environment for a specific collaborative process, a Collaborative Processes Modeling Methodology has been developed. This Methodology also incorporates an Ontology of the domains of Public Sector Collaborative Decision Making and Public Policies/Programmes Design and Management, consisting of the main concepts-elements used in these domains and the main associations among them.

S. Kokolakis, E. Kiountouzis, Achieving interoperability in a multiple-security-policies environment, Computers and Security Journal, Vol. 19, No. 3, pp. 267-281, 2000, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.158
 

Abstract
The interoperability problems that emerge when information systems cooperate, are often attributed to incompatible security policies. In this paper, we introduce a systemic framework for achieving interoperability when multiple security policies are employed. First, we present a Metapolicy Development System (MDS) for the resolution of interoperability problems caused by incompatible security policies. Then we provide a policy framework and a metapolicy framework to serve as conceptual devices in the application of the MDS. Finally, we examine the possibility of developing software tools to support the MDS. We argue that a policy repository may serve as the basic component of a software tool for the management of multiple security policies and the application of the MDS. The policy repository is implemented in Telos, an object-oriented knowledge representation language.

S. Kokolakis, A. Demopoulos, E. Kiountouzis, The use of business process modelling in information systems security analysis and design, Information Management and Computer Security, Vol. 8, No. 3, pp. 107-116, 2000, MCB, www.emeraldinsight.com/journals.htm...
 

Abstract
The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor for modern organisations. Risk analysis appears to be the predominant methodology for the introduction of security in information systems (IS). However, risk analysis is based on a very simple model of IS as consisting of assets, mainly data, hardware and software, which are vulnerable to various threats. Thus, risk analysis cannot provide for an understanding of the organisational environment in which IS operate. We believe that a comprehensive methodology for information systems security analysis and design (IS-SAD) should incorporate both risk analysis and organisational analysis, based on business process modelling (BPM) techniques. This paper examines the possible contribution of BPM techniques to IS-SAD and identifies the conceptual and methodological requirements for a technique to be used in this context. Based on these requirements, several BPM techniques have been reviewed. The review reveals the need for either adapting and combining current techniques or developing new, specialised ones.

D. Spinellis, S. Kokolakis, S. Gritzalis, Security requirements, risks, and recommendations for small enterprise and home-office environments, Information Management and Computer Security, Vol. 7, No. 3, pp. 121-128, 1999, MCB University Press , http://www.emeraldinsight.com/Insig...
 

Abstract
The pervasive use of information technology in enterprises of every size and the emergence of widely deployed ubiquitous networking technologies have brought with them a widening need for security. Information system security policy development must begin with a thorough analysis of sensitivity and criticality. Risk analysis methodologies, like CRAMM, provide the ability to analyse and manage the associated risks. By performing a risk analysis on a typical small enterprise and a home-office set-up the article identifies the risks associated with availability, confidentiality, and integrity requirements. Although both environments share weaknesses and security requirements with larger enterprises, the risk management approaches required are different in nature and scale. Their implementation requires co-operation between end users, network service providers, and software vendors.

S. Kokolakis, D. Gritzalis, S. K. Katsikas, Generic security policies for healthcare information systems, Health Informatics Journal, Vol. 4, No. 3, pp. 184-195, 1998, SAGE , http://jhi.sagepub.com/content/4/3-...
 

Abstract
Healthcare Establishments (HCEs) have developed a major dependency on Information and Communications Technologies (ICT) in the last decade. The increasing reliance upon ICT has stressed the need to foster security in Healthcare Information Systems (HIS). Security policies may have a significant contribution to make to this effort, but they could cause portability and inter-operability problems. Moreover, policies that fail to take into account all the aspects of HIS security, the legal and regulatory requirements, and the effect of several stakeholders, may lead to ineffective and inefficient security measures. We argue that policies of a special category, named Generic Security Policies (GSPs), should be developed to provide policy-level harmonization and guidance to policy-makers within HCEs. We have reviewed five policies that appear as candidates and have used the results of this review to compile a set of guidelines for potential developers of GSPs.

Επιστημονικά Συνέδρια (Conferences)


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


I. Paspatis, A. Tsohou, S. Kokolakis, AppAware: A Model for Privacy Policy Visualization for Mobile Applications, MCIS 2018, Sep, 2018, AIS Electronic Library, https://aisel.aisnet.org/cgi/viewco...
 

Abstract
Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this purpose. Literature notes that users find difficulties in understanding privacy policies because they are usually written in technical or legal language even, although most users are unfamiliar with them. These difficulties have led most users to skip reading privacy policies and blindly accept them. In an effort to address this challenge this paper presents AppWare, a multiplatform tool that intends to improve the visualization of privacy policies for mobile applications. AppWare formulates a visualized report with the permission set of an application, which is easily understandable by a common user. AppWare aims to bridge the difficulty to read privacy policies and android’s obscure permission set with a new privacy policy visualization model. To validate AppAware we conducted a survey through questionnaire aiming to evaluate AppAware in terms of installability, usability, and viability-purpose. The results demonstrate that AppAware is assessed above average by the users in all categories.

A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, INVESTIGATING THE VALUES THAT DRIVE THE ADOPTION OF ANONYMITY TOOLS: A LADDERING APPROACH, 11th Mediterranean Conference on Information Systems (MCIS 2017) , Sep, 2017, The 11th Mediterranean Conference on Information Systems Genoa,Italy
 

Abstract
Concerns about privacy and frustration over censorship and content blocking are driving millions to use privacy enhancing products. This research-in-progress focuses on anonymity tools, as a Privacy Enhancing Technology (PET), investigating the values that drive the adoption of anonymity tools by users. We use means-end analysis, a methodology we consider to be appropriate for investigating users’ conceptions and incentives for adopting anonymity tools. We also use the laddering technique, a qualitative method based on in-depth interviews, to reveal the chains of attribute-consequence-values of anonymity tools users and to construct a Hierarchical Value Map. The aim of our research is to provide insights and enhance understanding of anonymity tools users’ behavior, which we expect to benefit both researchers and software engineers to design platforms that more closely fit users’ need.

I. Paspatis, A. Tsohou, S. Kokolakis, Mobile Application Privacy Risks: Viber Users’ De-Anonymization Using Public Data, MCIS 2017, Sep, 2017, AIS Electronic Library, https://aisel.aisnet.org/mcis2017/3...
 

Abstract
Mobile application developers define the terms of use for the applications they develop, which users may accept or declined during installation. Application developers on the one hand seek to gain access to as many user information as possible, while users on the other hand seem to lack awareness and comprehension of privacy policies. This allows application developers to store an enormous number of personal data, sometimes even irrelevant to the application’s function. It’s also common that users choose not to alter the default settings, even when such an option is provided. In combination, the above conditions jeopardize users’ rights to privacy. In this research, we examined the Viber application to demonstrate how effortless it is to discover the identity of unknown Viber users. We chose a pseudorandom sample of 2000 cellular telephone numbers and examined if we could reveal their personal information. We designed an empirical study that compares the reported behavior with the actual behavior of Viber’s users. The results of this study show that users’ anonymity and privacy is easily deprived and information is exposed to a knowledgeable seeker. We provide guidelines addressed to both mobile application users and developers to increase privacy awareness and prevent privacy violations.

Ioannis Stylios, S. Kokolakis, P. Andriotis, Privacy decision-making in the digital era: A game theoretic review, International Conference on Human Aspects of Information Security, Privacy, and Trust, Theo Tryfonas, (ed), pp. 589-603, Jul, 2017, Vancouver, Canada, Springer, Cham, https://link.springer.com/chapter/1...
 

Abstract
Information privacy is constantly negotiated when people interact with enterprises and government agencies via the Internet. In this context, all relevant stakeholders take privacy-related decisions. Individuals, either as consumers buying online products and services or citizens using e-government services, face decisions with regard to the use of online services, the disclosure of personal information, and the use of privacy enhancing technologies. Enterprises make decisions regarding their investments on policies and technologies for privacy protection. Governments also decide on privacy regulations, as well as on the development of e-government services that store and process citizens’ personal information. Motivated by the aforementioned issues and challenges, we focus on aspects of privacy decision-making in the digital era and address issues of individuals’ privacy behavior. We further discuss issues of strategic privacy decision-making for online service providers and e-government service providers.

Ioannis Stylios, S. Kokolakis, Thanou, O., Chatzis, S., User's Attitudes on Mobile Devices: Can Users' Practices Protect Their Sensitive Data?, 10th Mediterranean Conference on Information Systems (MCIS) 2016, Sep, 2016, https://www.researchgate.net/public...
 

Abstract
Smartphones are the most popular personal electronic devices. They are used for all sorts of purposes, from managing bank accounts to playing games. As smartphone apps and services proliferate, the amount of sensitive data stored on or processed by handheld devices rise as well. This practice entails risks, such as violating users’ privacy, stealing users’ identities, etc. Particularly, stealing an unlocked device grants full access to sensitive data and applications. In this survey, we examine whether users adopt some basic practices to protect their sensitive personal data themselves, or is there a need to further strengthen their protection? Our statistical analysis assesses smartphone users’ security attitudes and practices among different age groups. Finally, we investigate the factors that affect the attitude of users with respect to their practices for the protection of personal data.The results of this study, show that while many smartphone users do take some security precautions, a high percentage (24%) of them still ignores security and privacy risks. In addition, 19,1 % of users do not follow any practices to protect their PINs and Passwords.\r\nKeywords: Mobile Phones, Privacy Risk, Users Attitudes, Survey.

[6]
Stylios, I.C., Chatzis, S., Thanou, O., S. Kokolakis, Mobile phones & behavioral modalities: Surveying users’ practices, 23rd Telecommunications Forum (TELFOR 2015), Nov, 2015, Belgrade, Serbia,
Ioannis Stylios, Chatzis, S., Thanou, O., S. Kokolakis, Mobile Phones & Behavioral Modalities: Surveying users’ practices, TELFOR 2015 International IEEE Conference, Nov, 2015, IEEE, https://www.researchgate.net/public...
 

Abstract
Abstract — Mobile phones are one of the most popular means of access to the internet. Users, via the telephone, connect to different services such as: Google, social networks, work accounts, banks accounts, etc. Those services, are many times, left open in their device. This enables risks, such as, loss or/and the violation of their personal data. In addition, in case of device theft after login, full access to sensitive data and applications may be fully granted. The purpose of this research is to analyze the most salient patterns characterizing user practices regarding certain behavioral modalities including: the way of using the various applications, power consumption, touch gestures and guest users’ habits. To this end, we used an original questionnaire, created for the needs of the specific survey, to examine whether we can find some trends among the users. This can give us a qualitative information, for the different behaviors / “characters” of users, in order to be used in further research regarding User’s Continuous Authentication. Keywords — Mobile Phones, Behavioral Modalities, Continuous Authentication, Survey.

K. Vemou, M. Karyda, S. Kokolakis, Directions for Raising Privacy Awareness in SNS Platforms, 18th Panhellenic Conference on Informatics, pp. 1-6, Oct, 2014, Athens, ACM New York, http://dl.acm.org/citation.cfm?id=2...
 

Abstract
Members of online social networks are often under an illusion of privacy, underestimating privacy risks related to their personal information published in their profiles. Current literature identifies privacy awareness as a key factor for enhancing user privacy. This paper identifies awareness raising applications and explores the effectiveness of awareness tools and practices currently employed by six popular SNS platforms, through a combined approach of literature review and experimental use. Our findings illustrate that awareness practices differ significantly among platforms and fail to promote awareness. We also show that effective awareness raising tools, such as privacy signalling and visualization applications, are overlooked and propose directions to further enhance privacy awareness mechanisms in SNS platforms.

K. Anastasopoulou, S. Kokolakis, T. Tryfonas, Analysis of strategic stakeholder interactions in cloudbased mobile app use by privacy-sensitive end users (invited paper), 15th International Conference on Human-Computer Interaction (HCII2013), Jul, 2013, Las Vegas, Nevada, USA, [The HCII 2013 Conference Proceedings will be published by Springer,
 

Abstract
Free mobile applications of cloud computing offer a range of diverse services (e.g. gaming, storage etc.) usally in return for delivering personalized advertising to their consenting end-users. In order to do so they may retain a range of personal information such as location and personal preferences. Thus, privacy-related interactions between service providers and end users are important to be studied as personal data are valuable in a subscription-based cloud system. In this paper, game theory is used as a tool to identify and analyze such interactions in order to understand stakeholder choices, as well as how to improve the quality of the service offered in a cloud computing setting.

K. Anastasopoulou, S. Kokolakis, T. Tryfonas, Analysis of strategic stakeholder interactions in cloudbased mobile app use by privacy-sensitive end users, Conference on Decision and Game Theory for Security (GameSec2012), Nov, 2012, Budapest, Hungary,
 

Abstract
Abstract. Free mobile applications of cloud computing offer a range of diverse services (e.g. gaming, storage etc.) usally in return for delivering personalized advertising to their consenting endusers. In order to do so they may retain a range of personal information such as location and personal preferences. Thus, privacy-related interactions between service providers and end users are important to be studied as personal data are valuable in a subscription-based cloud system. In this paper, game theory is used as a tool to identify and analyze such interactions in order to understand stakeholder choices, as well as how to improve the quality of the service offered in a cloud computing setting. \r\n\r\nKeywords: Privacy, mobile apps, cloud, game theory, strategic interactions.

S. Kokolakis, K. Anastasopoulou, M. Karyda, An Analysis of Privacy-related Strategic Choices of Buyers and Sellers in e-Commerce Transactions, 16th Panhellenic Conference on Informatics (PCI2012), Oct, 2012, Piraeus, CPS,
 

Abstract
E-commerce transactions, in addition to the exchange of goods and services for payment, often entail an indirect transaction, where personal data are exchanged for better services or lower prices. This paper analyses buyer’s and seller’s privacy-related strategic choices in e-commerce transactions through game theory. We demonstrate how game theory can explain why buyers mistrust internet privacy policies and relevant technologies (e.g. P3P) and sellers hesitate to invest in data protection.

E. Loukis, S. Kokolakis, K. Anastasopoulou, Factors of PKI adoption in European firms, The 6th Mediterranean Conference on Information Systems (MCIS) 2011, Sep, 2011, Cyprus
 

Abstract
Public Key Infrastructure (PKI) is an established technology that has been around for more than fifteen years. However, its adoption follows a very slow pace. Previous research, based either on a theoretical analysis of PKI or on specific cases of PKI implementation, has indicated several possible reasons for PKI non-adoption. In this paper we examine the effect of specific organizational factors on PKI adoption using empirical data from 14065 European firms collected through the e-Business Watch Survey of the European Commission. We have shown that it is still addressed as innovative technology that requires an innovation culture. Moreover, small and medium –sized firms are rather reluctant to adopt it and it is mostly implemented in firms with a large number of employees and tele-workers. Also, the extensive use of IS for supporting internal functions and cooperation with the external environment (e.g. customers and prospects), and the high dependence on them, are drivers of PKI adoption.

A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Analyzing Information Security Awareness through Networks of Association, 7th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2010), pp. 227-237, Sep, 2010, Bilbao, Spain, Lecture Notes in Computer Science, Springer,
 

Abstract
Information security awareness is a continuous effort to raise attention to information security and its importance, in order to stimulate securityoriented behaviors. Despite the increasing interest of researchers on the topic and the continuous notifications of global security surveys for its significance, awareness remains a critical issue of information security. Related approaches propose techniques and methods for promoting security without theoretical grounding and separately from the overall information security management framework. The aim of this paper is to suggest a theoretical and methodological framework which facilitates the analysis and understanding of the issues that are intertwined with awareness activities, in order to support the organization’s security management.

A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Unifying ISO Security Standards Practices into a Single Security Framework, 2010 South African Information Security Multi-Conference, May, 2010, Port Elisabeth, South Africa, https://www.google.gr/url?sa=t&rct=...
 

Abstract
Compliance to standards is quite important for numerous reasons, including interoperability, conformity assessment etc. However, even though recent surveys indicate that international security standards do gain acceptance and that a continuously increasing number oforganizations adopt them, still the majority do not know them or do not fully implement them. In this paper we facilitate the awareness of security practitioners on ISO security standards and we propose a security framework that is based on them. In order to explain the different layers of the framework and illustrate its applicability we have used as a case study a Payroll and Pensioner Information System.

A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Information Systems Security Management: A review and a classification of the ISO standards, e-Democracy 2009 , A. Sideridis and C. Patrikakis , (eds), pp. 220-235, Sep, 2009, Athens, Greece, Springer Lecture Notes of the ICSSIT Institute for Computer Sciences, Social Informatics, & Telecom, http://link.springer.com/content/pd...
 

Abstract
The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the “correct” system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.

A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Aligning Security Awareness with Information Systems Security Management, 4th Mediterranean Conference on Information Systems (MCIS09), Sep, 2009, Athens, Greece,
 

Abstract
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.

[17]
A. Tsohou, M. Theoharidou, S. Kokolakis, D. Gritzalis, Addressing Cultural Dissimilarity in the Information Security Management Outsourcing Relationship, TrustBus’07 4th International Conference on Trust, Privacy and Security in Digital Business, G. Pernul, C. Lambrinoudakis, M. Tjoa, (eds), Sep, 2007, Lecture Notes in Computer Science LNCS, Springer,
T. Balopoulos, L. Gymnopoulos, M. Karyda, S. Kokolakis, S. Gritzalis, S. K. Katsikas, A Framework for Exploiting Security Expertise in Application Development, TrustBus’06 3rd International Conference on Trust, Privacy, and Security in the Digital Business, S. Furnell, C. Lambrinoudakis, S. Fischer-Huebner, (eds), pp. 62-70, Sep, 2006, Krakow, Poland, Lecture Notes in Computer Science LNCS Vol. 4083, Springer, http://www.icsd.aegean.gr/publicati...
 

Abstract
This paper presents a framework that enables application developers make use of security expertise. This is succeeded with the help of security ontologies and the employment of security patterns. Through the development of a security ontology developers can locate the major security-related concepts and locate those relevant to the application context. Security patterns provide tested solutions for accommodating security requirements. Finally, the main features of the framework are listed with respect to related work.

L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Dritsas, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Developing a Security Patterns Repository for Secure Applications Design, ECIW 2006 5thEuropean Conference on Information Warfare and Security, C. Candolin et al., (eds), pp. 51-60, Jun, 2006, Helsinki, Finland, ACL Academic Conferences Limited, http://www.icsd.aegean.gr/publicati...
 

Abstract
Application developers are often confronted with difficulties in choosing or embedding security mechanisms that are necessary for building secure applications, since this demands possessing expertise in security issues. This problem can be circumvented by involving security experts early in the development process. This practice, however, entails high costs; moreover communication between developers and security experts is usually problematic and security expertise is difficult to be captured and exploited by developers. This paper proposes that the process of building secure applications can be facilitated through the use of security patterns. It presents a security patterns repository that can provide developers with an effective mechanism to address the issue of incorporating security requirements and mechanisms in application development. The paper also specifies a list of patterns and describes their basic elements. For describing and managing the patterns, the paper proposes a structure that is especially suitable for the case of security patterns. The method followed for developing the security patterns repository entails the employment of a security ontology. Finally, the paper presents a set of exemplary cases where the repository can support the software development process. The paper’s contribution is an enhanced security patterns repository that allows application developers to benefit from the accumulated knowledge and expertise in the area of security, so that they are able to develop secure applications.

M. Karyda, T. Balopoulos, S. Dritsas, L. Gymnopoulos, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, An Ontology for Secure e-Government applications, DeSeGov’06 Workshop on Dependability and Security in eGovernment, A. Tjoa, E. Schweighofer, (eds), pp. 1033-1037, Apr, 2006, Vienna, Austria, IEEE CPS, http://ieeexplore.ieee.org/xpl/logi...
 

Abstract
This paper addresses the issue of accommodating security requirements in application development. It proposes the use of ontologies for capturing and depicting the security experts' knowledge. In this way developers can exploit security expertise in order to make design choices that help them fulfil security requirements more effectively. We have developed a security ontology for two different application scenarios to illustrate its use. To validate the ontology we have used queries.

S. Dritsas, L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Employing Ontologies for the Developmentof Security Critical Applications: The Secure e-Poll Paradigm, IFIP I3E International Conference on eBusiness,eCommerce, and eGovernemnt, M. Funabashi, A. Grzech, (eds), pp. 187-201, Oct, 2005, Poznan, Poland, Springer, http://link.springer.com/content/pd...
 

Abstract
Incorporating security in the application development process is a fundamental requirement for building secure applications, especially with regard to security sensitive domains, such as e-government. In this paper we follow a novel approach to demonstrate how the process of developing an e-poll application can be substantially facilitated by employing a specialized security ontology. To accomplish this, we describe the security ontology we have developed, and provide a set of indicative questions that developers might face, together with the solutions that ontology deployment provides.

T. Balopoulos, S. Dritsas, L. Gymnopoulos, M. Karyda, S. Kokolakis, S. Gritzalis, Incorporating Security Requirements into the Software Development Process, ECIW 2005 4th European Conference on Information Warfare and Security, pp. 21-28, Jul, 2005, Glamorgan, United Kingdom, Academic Conferences Limited, http://www.google.gr/books?hl=en&lr...
 

Abstract
Security requirements, such as authentication, confidentiality, authorization, availability, integrity and privacy, are becoming extremely common in software development processes. However, in practical terms, it has been proved that only rarely the developed software fulfils the related security requirements. The reason for this is twofold. On one hand software developers are not security experts and thus they are not competent in selecting and applying the appropriate security countermeasures. On the other hand, many security requirements are intrinsically difficult to deal with. This paper aims to address both of the aforementioned issues and to introduce potential solutions. It starts by analysing the major security requirements, and goes on to explore how they can be mapped into concrete security solutions or/and mechanisms. Then, it examines how the fulfilment of security requirements influences the choice of development methodologies and paradigms (with the emphasis being on the design phase), so that the requirements are effectively satisfied. The discussion covers object-oriented and aspect-oriented programming, the Rational Unified Process, UML and UMLsec, as well as security patterns, with regard to the ways they can support the use of security solutions or/and mechanisms.

M. Karyda, S. Kokolakis, E. Kiountouzis, Information Systems Security and the Structuring of Organisations, 7th International Conference on the Social and Ethical Impacts of Information and Communication Technologies (ETHICOMP 2004), T. Bynum, N. Pouloudi, S. Rogerson, T. Spyrou, (eds), pp. 451-461, Apr, 2004, Syros, Greece, University of the Aegean,
 

Abstract
This study explores the consequences of the introduction of a security plan into organisations by means of a case study of a non-governmental organisation for the treatment of individuals with drug addiction. The paper mainly focuses on the implications of the application of a security plan to the social system in the organisation. The framework for analysis used for the case study is based on the fundamental tenets of A. Giddens’ structuration theory. Structuration theory can be used as an analysis tool for studying the interplay between social structures and human agency and also provides the framework for taking into account aspects of organisational change. This study contributes to the stream of research on the implications of implementing security plans and policies in the organisational context, which is still in a very early stage.

[24]
S. Kokolakis, C. Lambrinoudakis, D. Gritzalis, A Knowledge-Based Repository Model for Security Policies Management, MMM-ACNS-2003 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, V. Gorodetski, L. Popyack, V. Skormin , (eds), pp. 112-121, Sep, 2003, St. Petersburg, Russia, Springer, LNCS 2776,
C. Lambrinoudakis, S. Kokolakis, M. Karyda, V. Tsoumas, D. Gritzalis, S. K. Katsikas, Electronic Voting Systems: Security Implications of the Administrative Workflow, 14th International Workshop on Database and Expert Systems Applications (DEXA 2003), W06: International Workshop on Trust and Privacy in Digital Business (TrustBus), pp. 467-471, Sep, 2003, Prague, Czech, IEEE Computer Society Press,
 

Abstract
With the rapid growth of the Internet, online voting appears to be a reasonable alternative to conventional elections and other opinion expressing processes. Current research focuses on designing and building “voting protocols” that can support the voting process, while implementing the security mechanisms required for preventing fraud and protecting voter's privacy. However, not much attention has been paid to the administrative part of an electronic voting system that supports the actors of the system. Possible “security gaps” in the administrative workflow may result in deteriorating the overall security level of the system, even if the voting protocol implemented by the system succeeds to fully comply with the security requirements set for voting. To this direction, this paper describes the responsibilities and privileges of the actors involved in the electronic voting process. The description of the role of each actor, together with the clear indication of what each actor is expected - and thus allowed - to do with the system, formulate an operational framework that complements the technological security features of the system and allows us to talk about “secure electronic voting systems”.

E. Loukis, S. Kokolakis, Computer supported collaboration in the public sector: the ICTE-PAN project, 2nd EGOV Conference , Sep, 2003, Prague, Czech Republic
 

Abstract
Electronic Government today focuses mainly on offering citizens and enterprises the capability to perform electronically their transactions with the Public Administration and also on the electronic delivery of the currently existing public services over the Internet. However, the huge potential of ICTs has only to a small extent been exploited in the higher level and most critical functions of Public Administration, such as the development, monitoring and evaluation of public policies and programmes, the decision-making for difficult and complex social problems, or for granting licenses and permissions with high social impact, etc. This paper is dealing with the exploitation of the meth-odologies and technologies of Computer Supported Collaborative Work (CSCW) in these directions. A general functional and technological architecture of a Government to Government (G2G) collaborative environment is de-scribed, for supporting the above high level functions of Public Administration, which has been designed as part of the ICTE-PAN Project. It is based on an ex-tension of the classical Workflow Model, in order to include both ‘Single Per-son Activities’ and ‘Collaborative Activities’, and also on the use of modelling techniques and ontologies, in order to achieve a high level of adaptability to diverse requirements.

M. Karyda, S. Kokolakis, E. Kiountouzis, Content, Context, Process Analysis of IS Security Policy Formation, 18th IFIP International Conference on Information Security, D. Gritzalis, S. de Capitani di Vimercati, P. Samarati, S.K.Katsikas , (eds), pp. 145-156, May, 2003, Athens, Greece, Kluwer Academic Publishers,
 

Abstract
Security management is now acknowledged as a key constituent of Information Systems (IS) management. IS security management traditionally relies on the formation and application of security policies. Most of the research in this field address issues regarding the structure and content of security policies; whereas the context within which security policies are conceived and developed remains rather unexplored. However, security policies that are formed without taking into account the specific social and organisational environment within which they will be applied, are often proven to be inapplicable or ineffective. In this paper we explore the issues pertaining to the formation of security policies under the perspective of contextualism. Within the framework of contextualism, we study the context, content and process of IS security policies development. This paper aims to contribute to IS security research by bringing forth the issue of context-dependent formation of security policies. In addition, it provides a contextual framework, which we expect to improve the effectiveness of IS security policies development.

[28]
S. Ikonomopoulos, C. Lambrinoudakis, D. Gritzalis, S. Kokolakis, K. Vassiliou, Functional Requirements for a Secure Electronic Voting System, IFIP TC11 17th International Conference on Information Security (IFIP/SEC2002), M.A. Ghonaimy, M. El-Hadidi, H. K. Aslan , (eds), pp. 507-519, May, 2002, Cairo, Egypt, Kluwer Academic Publisher,
[29]
C. Lambrinoudakis, S. Kokolakis, D. Gritzalis, Recurrent IT Security Issues and Recommendations: Learning from Risk Assessment Reviews, IFIP WG 9.6/11.7 Working Conference on Security and Control of IT in Society II (SCITS-II), pp. 185-195, Jun, 2001, Bratislava, Slovakia,
M. Karyda, S. Kokolakis, E. Kiountouzis, Redefining Information Systems Security: Viable Information Systems, 16th IFIP International Conference on Information Security (SEC 2001), M. Dupuy, P. Paradinas , (eds), pp. 453-467, Jun, 2001, Paris, France, Kluwer Academic Publishers,
 

Abstract
Research on Information Security has been based on a well-established definition of the subject. Consequently, it has delivered a plethora of methods, techniques, mechanisms and tools to protect the so-called security attributes (i.e. availability, confidentiality and integrity) of information. However, modern Information Systems (IS) appear rather vulnerable and people show mistrust on their ability to deliver the services expected. This phenomenon leads us to the conclusion that information security does not necessarily equal IS security. In this paper, we argue that IS security, contrary to information security, remains a confusing term and a neglected research area. We attempt to clarify the meaning and aims of IS security and propose a framework for building secure information systems, or as we suggest them to be called, viable information systems.

S. Kokolakis, M. Karyda, D. Gritzalis, Information systems security management in virtual organizations, 4th International Conference on Security in Information Systems (SIS2000), (eds), pp. 109-125, Oct, 2000, Zurich, Switzerland ,
 

Abstract
The virtual organization is a new form of organization possessing the characteristic of incorporating business units with a high degree of autonomy. This form of organization, which is expected to become the dominant organizational paradigm for the 21st century, strongly depends on the effectiveness of cooperation among the autonomous Information Systems (IS) of each business unit. Developing a security policy and installing security controls for each IS appears as a prerequisite for the survival of the virtual organization, but on the other hand it may severely hinder IS cooperation, as policies and controls often give rise to conflicts and interoperability problems. In this paper, we analyse the problem of managing IS security in multi-policy environments and introduce a Security Policies Management System (SPMS) that facilitates the management of IS security in virtual organizations and supports the resolution of conflicts between security policies.

[32]
T. Tryfonas, D. Gritzalis, S. Kokolakis, A qualitative approach to information availability, 15th International Information Security Conference (IFIP/SEC 00), (eds), Aug, 2000, Beijing, China,
[33]
S. Kokolakis, Is there a need for new information security models?, 2nd Communications and Multimedia Security Conference (CMS 96), (eds), Sep, 1996, Hessen, Germany,
[34]
E. Kiountouzis, S. Kokolakis, An analyst's view of information systems security, 12th International Information Security Conference (IFIP/SEC 96), (eds), May, 1996, Samos, Greece,

Βιβλία


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


[1]
D. Drossos, D. Vouyioukas, E. Kalligeros, S. Kokolakis, C. Skianis, Εισαγωγή στην Επιστήμη των Υπολογιστών και Επικοινωνιών – Τεχνολογίες και Εφαρμογές, 2015, Αθήνα, Σύνδεσμος Ελληνικών Ακαδημαϊκών Βιβλιοθηκών
[2]
L. Mitrou, A.-M. Piskopani, S. Tassis, M. Karyda, S. Kokolakis, (eds), Facebook, blogs και δικαιώματα, 2013, Εκδόσεις Σάκκουλα
[3]
G. Spanoudakis, A. Mana, S. Kokolakis, (eds), Security and Dependability for Ambient Intelligence, 2009, Springer

Κεφάλαια σε Βιβλία


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


[1]
M. Karyda, S. Kokolakis, Ψηφιακά Κοινωνικά Δίκτυα: Ζητήματα ιδιωτικότητας και η τεχνολογική αντιμετώπισή τους , chapter in: Facebook, Blogs και δικαιώματα, Θ. Κ. Παπαχρίστου, Λ. Μήτρου, Τ. Βιδάλης, Θ. Ξηρός., (eds), pp. 117-, 2013, Εκδόσεις Σάκκουλα,
[2]
S. Kokolakis, P. Rizomiliotis, A. Benameur, S.-K. Sinha, Security and Dependability Solutions for Web Services and Workflows, chapter in: Security and Dependability for Ambient Intelligence, G. Spanoudakis, A. Mana, S. Kokolakis, (eds), pp. 97-106, 2009, Springer,
[3]
M. Karyda, S. Kokolakis, Privacy Perceptions Among Members of Online Communities, chapter in: Digital Privacy: Theory, Technologies and Practices, A. Acquisti, S. De Capitani di Vimercati, S. Gritzalis, C. Lambrinoudakis , (eds), pp. , 2008, Auerbach Publications (Taylor and Francis Group),
[4]
S. K. Katsikas, S. Kokolakis, High-level Security Policies for Health Care Establishments,, chapter in: Health Informatics, B. Blobel, (ed), pp. 98-104, 2003, Amsterdam, The Netherlands, IOS Press,

Επιμέλεια Πρακτικών Διεθνών Συνεδρίων


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


[1]
G. Dhillon, S. Gritzalis, S. Kokolakis, (eds), MCIS 2009 4th Mediterranean Conference on Information Systems – Information Security Track , Sep, 2009, Athens, Greece, Association for Information Systems
[2]
B. Preneel, S. Gritzalis, S. Kokolakis, T. Tryfonas, (eds), WDFIA 2007 2nd Annual Workshop on Digital Forensics and Incident Analysis, Aug, 2007, Samos, Greece, IEEE CPS