@inproceedings{5684, author = {{Lang, Fabian and Schryen, Guido and Fink, Andreas}}, booktitle = {{Proceedings of the 2011 International Conference on Information Systems (ICIS 2011)}}, title = {{{Automated Negotiations Under Uncertain Preferences}}}, year = {{2011}}, } @inproceedings{5689, author = {{Bodenstein, Christian and Schryen, Guido and Neumann, Dirk}}, booktitle = {{Proceedings of the 19th European Conference on Information Systems (ECIS 2011)}}, title = {{{Reducing Datacenter Energy Usage through Efficient Job Allocation}}}, year = {{2011}}, } @inproceedings{5581, author = {{Wex, Felix and Schryen, Guido and Neumann, Dirk}}, booktitle = {{Proceedings of the 8th International Conference on Information Systems for Crisis Response and Management (ISCRAM 2011)}}, title = {{{Intelligent Decision Support for Centralized Coordination during Emergency Response}}}, year = {{2011}}, } @inproceedings{5619, author = {{Schryen, Guido and Volkamer, Melanie and Ries, Sebastian}}, booktitle = {{Proceedings of the 26th Annual ACM Symposium on Applied Computing}}, title = {{{A formal approach towards measuring trust in distributed systems}}}, year = {{2011}}, } @article{5640, author = {{Schryen, Guido}}, journal = {{Communications of the ACM (CACM)}}, number = {{No. 5}}, pages = {{130--139}}, publisher = {{Association for Computing Machinery}}, title = {{{Is open source security a myth? What do vulnerability and patch data say?}}}, volume = {{Vol. 54}}, year = {{2011}}, } @inproceedings{5641, author = {{Schryen, Guido}}, booktitle = {{IS Capabilities Change, and IS Innovation, Proceedings of the 19th European Conference on Information Systems (ECIS 2011), Helsinki}}, title = {{{Seeking the VALUE in IS Business Value Research - An Agenda for investigating Synergies Between Socio-organizational Change, IS Capabilities Change, and IS Innovation}}}, year = {{2011}}, } @inproceedings{5685, abstract = {{In double-sided markets for computing resources an optimal allocation schedule among job offers and requests subject to relevant capacity constraints can be determined. With increasing storage demands and emerging storage services the question how to schedule storage jobs becomes more and more interesting. Since such scheduling problems are often in the class NP-complete an exact computation is not feasible in practice. On the other hand an approximation to the optimal solution can easily be found by means of using heuristics. The problem with this attempt is that the suggested solution may not be exactly optimal and is thus less satisfying. Considering the two above mentioned solution approaches one can clearly find a trade-off between the optimality of the solution and the efficiency to get to a solution at all. This work proposes to apply and combine heuristics in optimization to gain from both of their benefits while reducing the problematic aspects. Following this method it is assumed to get closer to the optimal solution in a shorter time compared to a full optimization.}}, author = {{Finkbeiner, Josef and Bodenstein, Christian and Schryen, Guido and Neumann, Dirk}}, booktitle = {{18th European Conference on Information Systems (ECIS 2010)}}, keywords = {{Decision Support System, Algorithms, Optimization, Market Engineering}}, title = {{{Applying heuristic methods for job scheduling in storage markets}}}, year = {{2010}}, } @inproceedings{5690, abstract = {{In a world, where more and more businesses seem to trade in an online market, the supply of online services to supply the ever-growing demand could quickly reach its capacity limits. Online service providers may find themselves maxed out at peak operation levels during high-traffic timeslots but too little demand during low-traffic timeslots, although the latter is becoming less frequent. At this point not only deciding which user is allocated what level of service becomes essential, but also the magnitude of the service provided, can be controlled by pricing. Pricing is an important factor when efficient and acceptable allocation of resources between individuals must be reached. Without prices, transferring or sharing goods would be impossible. In sharing information, pricing a product however is not as simple as relatively pricing an apple or a pear. Often the costs, and hence the prices are simply unknown. Backed by this scenario, the online services market could be combined with the market design mechanism of diamonds. For this we propose an ultimatum pricing strategy which effectively allows for valuations to be accounted for, but no longer a necessity when pricing in grid, cloud or other online computing environments.}}, author = {{Bodenstein, Christian and Schryen, Guido and Neumann, Dirk}}, booktitle = {{18th European Conference on Information Systems (ECIS 2010)}}, keywords = {{Posted Price, Ultimatum Game, Energy Efficiency, Mechanism Design}}, title = {{{From "Take-it-or-leave-it" offers to "Take-it-or-be-left-out" Ultimatum - A trade mechanism for Online Services}}}, year = {{2010}}, } @inproceedings{5598, abstract = {{Emerging digital environments and infrastructures, such as distributed services and computing services, have generated new options of communication, information sharing, and resource utilization in past years. Different distributed trust concepts are applied to increase trust in such systems. However, these concepts yield to rather complex architectures which make it difficult to determine which component or system needs to be trusted. This paper presents a novel trust measurement method for distributed systems which enables the t identification of weak points in the overall system architecture. The measurement method includes the specification of a formal trust language and its representation by means of propositional logic formulas. The applicability of the proposed concepts is demonstrated by conducting a case study on the Internet voting system that was used in the 2007 parliamentary elections in Estonia.}}, author = {{Volkamer, Melanie and Schryen, Guido}}, booktitle = {{Proceedings of the 23rd Bled eConference}}, keywords = {{distributed trust concepts, measuring etrust, Internet voting}}, title = {{{Measuring eTrust in distributed systems - General Concept and Application to Internet Voting}}}, year = {{2010}}, } @inproceedings{5631, abstract = {{While many theoretical arguments against or in favor of open source and closed source software development have been presented, the empirical basis for the assessment of arguments and the development of models is still weak. Addressing this research gap, this paper presents the first comprehensive empirical investigation of published vulnerabilities and patches of 17 widely deployed open source and closed source software packages, including operating systems, database systems, web browsers, email clients, and office systems. The empirical analysis uses comprehensive vulnerability data contained in the NIST National Vulnerability Database and a newly compiled data set of vulnerability patches. The results suggest that it is not the particular software development style that determines the severity of vulnerabilities and vendors? patching behavior, but rather the specific application type and the policy of the particular development community, respectively.}}, author = {{Schryen, Guido and Eliot, Rich}}, booktitle = {{43rd Annual Hawaii International Conference on System Sciences}}, title = {{{Increasing software security through open source or closed source development? Empirics suggest that we have asked the wrong question}}}, year = {{2010}}, } @inproceedings{5632, abstract = {{Enduring doubts about the value of IS investments reveal that IS researchers have not fully managed to identify and to explain the economic benefits of IS. Three research tasks are essential requisites on the path towards addressing this criticism: the synthesis of knowledge, the identification of lack of knowledge, and the proposition of paths for closing knowledge gaps. This paper considers each of these tasks by a) synthesizing key research findings based on a comprehensive literature review, b) identifying and unfolding key limitations of current research, and c) applying a decision-theoretic perspective, which opens new horizons to IS business value research and shows paths for overcoming the limitations. The adoption of this perspective results in a decision-theoretic foundation of IS business value research and includes the proposition of a consistent terminology and a research model that frames further research.}}, author = {{Schryen, Guido and Bodenstein, Christian}}, booktitle = {{Proceedings of the 18th European Conference on Information Systems (ECIS 2010)}}, keywords = {{Decision theory, IT value, IS assessment, IS evaluation}}, title = {{{A decision-theoretic foundation of IS business value research}}}, year = {{2010}}, } @inproceedings{5642, abstract = {{This paper presents a fuzzy set based decision support model for taking uncertainty into account when making security investment decisions for distributed systems. The proposed model is complementary to robabilistic approaches and useful in situations where probabilistic information is either unavailable or not appropriate to reliably predict future conditions. We ?rst present the speci?cation of a formal security language that allows to specify under which conditions a distributed system is protected against security violations. We show that each term of the security language can be transformed into an equivalent propositional logic term. Then we use propositional logic terms to de?ne a fuzzy set based decision model. This optimization model incorporates uncertainty with regard to the impact of investments on the achieved security levels of components of the distributed system. The model also accounts for budget and security constraints, in order to be applicable in practice.}}, author = {{Schryen, Guido}}, booktitle = {{Sicherheit 2010 : Sicherheit, Schutz und Zuverl{\"a}ssigkeit ; Konferenzband der 5. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft f{\"u}r Informatik e.V. (GI), 5. - 7. Oktober 2010 in Berlin}}, editor = {{C. Freiling, Felix}}, pages = {{289--304}}, publisher = {{Gesellschaft für Informatik}}, title = {{{A Fuzzy Model for IT Security Investments}}}, volume = {{170}}, year = {{2010}}, } @inproceedings{5643, abstract = {{Enduring doubts about the value of IS investments reveal that IS researchers have not fully managed to identify and to explain the economic benefits of IS. This paper assumes that literature reviews, which represent a powerful instrument for the identification and synthesis of knowledge, have not tapped their full potential to address this issue due to deficiencies in methodology. The analysis of 18 literature reviews published in pertinent academic outlets during the past 20 years shows such deficiencies. Two of the most critical weaknesses identified are (1) the lack of theory use in most reviews and (2) a weak linkage of reviews, resulting in little progress in theory and framework development. The systematic identification of these weaknesses and the extraction of promising methodological examples from past literature are the main contributions of this work, which supports the composition of more effective literature reviews in future research.}}, author = {{Schryen, Guido}}, booktitle = {{Proceedings of the First Scandinavian Conference on Information Systems (SCIS)}}, keywords = {{Literature review, Business value, Information systems, Methodology, Theory}}, title = {{{An Analysis of Literature Reviews on IS Business Value: How Deficiencies in Methodology and Theory Use Resulted in Limited Effectiveness}}}, year = {{2010}}, } @article{5644, abstract = {{The economic relevance of information systems has been studied for many years and has attracted an abundance of research papers. However, the ?productivity paradoxon? of the 90s, Carr?s widely recognized paper ?IT doesn?t matter?, and several studies that do not find a positive correlation between IS investments and economic performance reveal long-lasting difficulties for IS researchers to explain ?IS business value?. Business executives and researchers also continue to question the value of IS investments. This raises the question of whether literature reviews have tapped their potential to address the concerns by covering key research areas of IS business value and preserving their key findings. In order to address this question, this paper identifies and describes 12 key research areas, and synthesizes what literature reviews published in pertinent academic outlets have done to preserve knowledge. The analysis of 22 literature reviews shows that some crucial areas have not been (sufficiently) covered. They provide fertile areas for future literature reviews. As this work is based on the results of more than 200 research papers, it is capable of drawing a comprehensive picture of the current state-of-the-art in IS business value research.}}, author = {{Schryen, Guido}}, journal = {{Business \& Information Systems Engineering (BISE)}}, keywords = {{Business value, Information systems, Literature review, Meta review}}, number = {{4}}, pages = {{225--237}}, publisher = {{Springer}}, title = {{{Preserving knowledge on IS business value: what literature reviews have done}}}, volume = {{52}}, year = {{2010}}, } @article{5645, abstract = {{The economic relevance of information systems has been studied for many years and has attracted an abundance of research papers. However, the ?productivity paradoxon? of the 1990s, Carr?s widely recognized paper ?IT doesn?t matter?, and several studies that do not find a positive correlation between IS investments and economic performance reveal long-lasting difficulties for IS researchers to explain ?IS business value?. Business executives and researchers also continue to question the value of IS investments. This raises the question of whether literature reviews have tapped their potential to address the concerns by covering key research areas of IS business value and preserving their key findings. In order to address this question, this paper identifies and describes 12 key research areas, and synthesizes what literature reviews published in pertinent academic outlets have done to preserve knowledge. The analysis of 22 literature reviews shows that some crucial areas have not been (sufficiently) covered. They provide fertile areas for future literature reviews. As this work is based on the results of more than 200 research papers, it is capable of drawing a comprehensive picture of the current state-of-the-art in IS business value research.}}, author = {{Schryen, Guido}}, journal = {{Wirtschaftsinformatik}}, number = {{4}}, pages = {{225--237}}, publisher = {{Gabler; Springer}}, title = {{{Ökonomischer Wert von Informationssystemen - Beitrag von Literatur-Reviews zum Wissenserhalt ( = Preserving Knowledge on IS Business Value. What Literature Reviews Have Done)}}}, volume = {{52}}, year = {{2010}}, } @inproceedings{5597, abstract = {{Der Beitrag diskutiert die kontroversen Ans{\"a}tze ? Verifizierung versus Evaluation/Zertifizierung ? zur Sicherung elektronischer Wahlen mit Wahlger{\"a}ten. Dabei spielt das Urteils des Bundesverfassungsgerichts [BVG099] eine zentrale Rolle. Hierin wird entschieden, dass die Zertifizierung des Wahlger{\"a}tes nicht ausreicht und es werden Verifizierungsfunktionen gefordert, die den W{\"a}hlern die M{\"o}glichkeit geben sich von der Integrit{\"a}t des Wahlergebnisses zu {\"u}berzeugen. Der Beitrag zeigt auf, dass auch mit der Implementierung entsprechender Verifizierungsfunktionen nicht auf Zertifizierung verzichtet werden kann, da an ein Wahlger{\"a}t auch andere Anforderungen wie etwa hinsichtlich des Wahlgeheimnisses gestellt werden. Es wird au{\ss}erdem die Frage diskutiert, warum der Zertifizierung hinsichtlich dieser zus{\"a}tzlichen Anforderungen vertraut werden kann, w{\"a}hrend dies nicht der Fall bei der Integrit{\"a}tsanforderung ist.}}, author = {{Volkamer, Melanie and Schryen, Guido and Langer, Lucie and Schmidt, Axel and Buchmann, Johannes}}, booktitle = {{Workshop Elektronische Wahlen, elektronische Teilhabe, Societyware, 39th GI-Jahrestagung}}, title = {{{Elektronische Wahlen: Verifizierung vs. Zertifizierung}}}, year = {{2009}}, } @article{5621, abstract = {{Remote voting through the Internet provides convenience and access to the electorate. At the same time, the security concerns facing any distributed application are magnified when the task is so crucial to democratic society. In addition, some of the electoral process loses transparency when it is encapsulated in information technology. In this paper, we examine the public record of three recent elections that used Internet voting. Our specific goal is to identify any potential flaws that security experts would recognize, but may have not been identified in the rush to implement technology. To do this, we present a multiple exploratory case study, looking at elections conducted between 2006 and 2007 in Estonia, Netherlands, and Switzerland. These elections were selected as particularly interesting and accessible, and each presents its own technical and security challenges. The electoral environment, technical design and process for each election are described, including reconstruction of details which are implied but not specified within the source material. We found that all three elections warrant significant concern about voter security, verifiability, and transparency. Usability, our fourth area of focus, seems to have been well-addressed in these elections. While our analysis is based on public documents and previously published reports, and therefore lacking access to any confidential materials held by electoral officials, this comparative analysis provides interesting insight and consistent questions across all these cases. Effective review of Internet voting requires an aggressive stance towards identifying potential security and operational flaws, and we encourage the use of third party reviews with critical technology skills during design, programming, and voting to reduce the changes of failure or fraud that would undermine public confidence.}}, author = {{Schryen, Guido and Rich, Eliot}}, journal = {{IEEE Transactions on Information Forensics \& Security}}, keywords = {{e-voting, Internet voting, Internet election, security, verifiability, RIES, Estonia, Neuch{\^a}tel}}, number = {{4 Part}}, pages = {{729--744}}, publisher = {{IEEE}}, title = {{{Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland}}}, volume = {{4}}, year = {{2009}}, } @inproceedings{5625, abstract = {{The increasing availability and deployment of open source software in personal and commercial environments makes open source software highly appealing for hackers, and others who are interested in exploiting software vulnerabilities. This deployment has resulted in a debate ?full of religion? on the security of open source software compared to that of closed source software. However, beyond such arguments, only little quantitative analysis on this research issue has taken place. We discuss the state-of-the-art of the security debate and identify shortcomings. Based on these, we propose new metrics, which allows to answer the question to what extent the review process of open source and closed source development has helped to fix vulnerabilities. We illustrate the application of some of these metrics in a case study on OpenOffice (open source software) vs. Microsoft Office (closed source software).}}, author = {{Schryen, Guido and Kadura, Rouven}}, booktitle = {{24th Annual ACM Symposium on Applied Computing}}, keywords = {{Open source software, Closed source software, Security, Metrics}}, title = {{{Open Source vs. Closed Source Software: Towards Measuring Security}}}, year = {{2009}}, } @inproceedings{5646, abstract = {{While many theoretical arguments against or in favor of open source and closed source software development have been presented, the empirical basis for the assessment of arguments is still weak. Addressing this research gap, this paper presents a comprehensive empirical investigation of the patching behavior of software vendors/communities of widely deployed open source and closed source software packages, including operating systems, database systems, web browsers, email clients, and office systems. As the value of any empirical study relies on the quality of data available, this paper also discusses in detail data issues, explains to what extent the empirical analysis can be based on vulnerability data contained in the NIST National Vulnerability Database, and shows how data on vulnerability patches was collected by the author to support this study. The results of the analysis suggest that it is not the particular software development style that determines patching behavior, but rather the policy of the particular software vendor.}}, author = {{Schryen, Guido}}, booktitle = {{5th International Conference on IT Security Incident Management \& IT Forensics}}, title = {{{A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors}}}, year = {{2009}}, } @inproceedings{5647, abstract = {{Reviewing literature on open source and closed source security reveals that the discussion is often determined by biased attitudes toward one of these development styles. The discussion specifically lacks appropriate metrics, methodology and hard data. This paper contributes to solving this problem by analyzing and comparing published vulnerabilities of eight open source software and nine closed source software packages, all of which are widely deployed. Thereby, it provides an extensive empirical analysis of vulnerabilities in terms of mean time between vulnerability disclosures, the development of disclosure over time, and the severity of vulnerabilities, and allows for validating models provided in the literature. The investigation reveals that (a) the mean time between vulnerability disclosures was lower for open source software in half of the cases, while the other cases show no differences, (b) in contrast to literature assumption, 14 out of 17 software packages showed a significant linear or piecewise linear correlation between time and the number of published vulnerabilities, and (c) regarding the severity of vulnerabilities, no significant differences were found between open source and closed source.}}, author = {{Schryen, Guido}}, booktitle = {{15th Americas Conference on Information Systems}}, keywords = {{Vulnerabilities, security, open source software, closed source software, empirical comparison}}, title = {{{Security of open source and closed source software: An empirical comparison of published vulnerabilities}}}, year = {{2009}}, }