On the 30th of September, Mubashar Iqbal defended his PhD. thesis on “Reference Framework for Managing Security Risks Using Blockchain” which addresses the problem of traditional applications’ security risk management (SRM) using blockchain as a countermeasure solution and the SRM of blockchain-based applications.

In the digital realm, software security has the utmost importance in making software systems attainable for users by securing them against various security threats (e.g., unauthorized access, disclosure, disruption, modification). Therefore, to better understand the security threats and their interaction at an individual, or organizational level, the SRM enables the ongoing process of identifying those security threats, their impact, and potential controls to reduce them. For instance, software systems have valuable assets to organizations, and the SRM can help to reduce the unauthorized harm to those assets to that level acceptable to system stakeholders while maintaining the assets’ confidentiality, integrity, and availability.

However, security threats continuously evolve because the current traditional technology infrastructure does not implement security measures by design. Moreover, many organizations do not prioritize their software security despite increasing security incidents. For instance, digitization, the internet of things (IoT), and smart devices in healthcare generate massive electronic health records, empowering patients and the entire healthcare sector. The medical data is confidential and plays an essential role in a patient’s health diagnosis and treatments to reduce medical mistakes. Therefore, there are concerns about securing such medical data from security threats.

Here comes blockchain-based decentralized technology infrastructure that is making a way in different application domains (e.g., finance, healthcare, supply chain) with the promise to overcome the security challenges of traditional technology infrastructure. Blockchain is an append-only distributed ledger technology that eliminates trusted intermediaries in a transactional process. Blockchain has various features; for example, it brings the concept of an immutable ledger, a decentralized, distributed technology that operates over a peer-to-peer (P2P) network. It follows the decentralized consensus mechanism and enables provenance and tamper-evidence. Blockchain implements strong cryptography, smart contract-based decentralized access control, and resource permissions. It is pseudonymous, where individuals’ identities and activities are linked to cryptography addresses. Based on the aforementioned characteristics of blockchain, blockchain-based applications are considered less vulnerable and appear to address the security challenges of traditional technology infrastructure and improve data integrity. Overall, restructure the transaction process to be distributed, decentralized, and irreversible. However, blockchain-based applications do not become a silver bullet since numerous security threats are observed (e.g., Sybil attack, Double-spending) within them.

In accordance with the above details, this thesis addresses the problem of traditional applications’ SRM using blockchain as a countermeasure solution and the SRM of blockchain-based applications. Contributions to resolving these problems resulted in an ontology-based security reference framework for managing the security risks of traditional applications using blockchain and supporting the SRM of blockchain-based applications. The framework establishes common ground and systematic interpretation that can assist developers, researchers, practitioners, and other associated stakeholders in explaining how blockchain can mitigate security threats, what security threats may appear within blockchain-based applications, and what security countermeasures should be implemented. Moreover, it can communicate security requirements to technical experts. Ultimately, the reference framework can potentially lessen the security threats of traditional and blockchain-based applications.

Information Security Research Group