Volg ICTI

2020 information science research agenda

| Sieuwert van Otterloo | Artificial Intelligence Security

At ICT Institute we aim to combine academic research and practical applications. One way we do this, is by selecting topics for information research. Below is the list of topics that we identified as relevant in 2020. For each topic, one or more students from the Amsterdam Vrije Universiteit will write a thesis. A total of 12 students have selected one of these topics and they are all expected to graduate in summer 2020. If you are interested in the results or would like to be involved in the interviews and experiments, please let us know.

Security and privacy by design

The principes of ‘security by design’ and ‘privacy by design’ have become mandatory for companies under the GDPR, together with ‘privacy by default’. Unfortunately, the GDPR itself does not define these principles well, leaving lots of questions on how one can comply with the GDPR. A few of the important questions are:

  • Are the product designers in companies in charge of design? If so, the privacy officers and data protection officers should not try to understand design, but just let designers do their work. ‘security by design’ and ‘privacy by design’ just mean good design: asking the right information, using it correctly.
  •  ‘Design’ is a distinct, early phase in software project management (depending on the methodology). Perhaps ‘security by design’ and ‘privacy by design’ just mean that privacy and security are addressed early in the project, and not only at the end. Good project management will make sure security/privacy are discussed in the design phase.
  • The market needs to develop standards that will define what these terms mean for each sector. E.g. all web-based systems must conform to OWASP principles, all webshops must meet the thuiswinkel-waarborg criteria, website must score 90% on internet.nl, all educational system must conform to SURF guidelines. For each type of application, one must select the most appropriate concrete security standard and make sure the application meets this standard.

In the research projects, we will look and existing security, privacy and design standards and tools and see if and how these can be applied in practice by companies. Suggestions for additional standards and tools are welcome.

Benefits and risks of low code platforms

There are several new platforms that allow companies to build application without having to write much code: Mendix, Outsystems and Betty Blocks are the best known platforms. The platforms have several claimed benefits: lower development, effort, less training needed to develop applications, and lower maintenance costs since programs run on a fully managed platform. Some experts even believe that the programmer-free world of citizen development has arrived. Low code platforms however must have some limitations and disadvantages. A few potential drawbacks are less optimised final results, usage constraints (users must log-in), no influence on performance and vendor locking.

We would like to investigate both the benefits and drawbacks of these platforms. First of all we would like to compare the use of this platforms for citizen development: do. These platforms allow recruiters to automate the recruitment process, and is a low code solution better to use than the alternatives? Secondly we would like to investigate if low code platform can help accountants get rid of spreadsheets and spreadsheet related risks. There is a lot of research into spreadsheet risks, but it is not clear whether low code platforms resolves these risks.

Project management best practices

Last year, a new standard NPR-5326 was published by the NEN. The standard contains risks and control measures for development and maintenance of custom software. We are interested in understanding if companies use these control measures, what other measures they use and whether they believe this standard is a good way to manage software projects. The standard has not been developed for AI projects, so it is also interesting to validate whether the control measures can be applied to AI projects as well.

Artificial Intelligence and Ethics

Artificial Intelligence is still on the rise and this leads to more ethical questions about whether the technology is used fairly. In 2018 we covered the introduction of the AI Impact Assessment. This is an important,  but not yet widely used, assessment tool to prevent unethical use of AI.  Last year, Jesse Tol investigated whether face detection algorithms still work when tested on people with different types of headgear. This year we are again aiming to investigate several AI practical applications, similar to the applications and risks from this overview.

Business continuity for Software as a Service

Business continuity used to be a technical topic: organisations (e.g. banks, hospitals) that need continuous IT services, needed to invest in multiple data centers, fire extinguishers, multiple discs and backup solutions. (one chapter of the commonly used standard ISO 27002 is  focused on business continuity from a technical perspective). With the rise of software-as-service, the field has changed. Companies no longer need to worry about the physical security of their data centers. Instead they need to worry about source code access, data access, bankruptcy and data export formats. We want to investigate what measures common SaaS providers offer, and whether these measures are sufficient coverage for all technical and legal risks. One legal aspect that will be covered is whether source code escrow is necessary.

Learning analytics

Online learning platforms can capture a lot if data, and this data is potentially useful in improving education. Using learning analytics on this data, teachers can see how students are doing. Should teacher use this data more often? Of should students have access to their own data directly? What data is most valuable and how should this data be presented? (learning analytics image from Giulia Forsyth, based on a keynote by @Houshuang via flickr).

Next steps

All students are working on a thesis design document, that describes what they will research, how and when. Most design documents include a structure literature search, interviews with practicioners, and some form of practical experiments with existing tools. Any suggestions for literature, experiments and tools/standards are welcome. If you are a practitioner, send us your suggestions or let us know if we can interview you. We are specifically interested in interviewing:

  • Organisations that are evaluating new AI application
  • Organisations that use low code platforms
  • Software and AI project managers
  • Teachers that are already using learning analytics
  • Project managers of software and AI projects
  • IT lawyers that have a view of source code escrow and data escrow

Img src (header): Hans Reniers via unsplash

Sieuwert van Otterloo
Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.