trust economics newcastle, uk march 9, 2010 aad van moorsel newcastle university, uk...
TRANSCRIPT
Trust Economics
New
cast
le, U
K M
arc
h 9
, 2
01
0
Aad van MoorselNewcastle University, UK
2© Aad van Moorsel, Newcastle University, 2010
outline (in randomized order)
1.trust economics methodology
2.the research parts:• soliciting human, technical and business
aspects• models• ontologies• user interfaces
3.examples• passwords and compliance budget• digital rights management• access management
trust economics methodology
© Aad van Moorsel, Newcastle University, 2010
trust economics methodology for security decisions
4
stakeholdersdiscuss
a modelof the information
system
trade off:legal issues,human tendencies,business concerns,...
5© Aad van Moorsel, Newcastle University, 2010
trust economics research
from the trust economics methodology, the following research follows:
1. identify human, business and technical concerns
2. develop and apply mathematical modelling techniques
3. glue concerns, models and presentation together using a trust economics information security ontology
4. use the models to improve the stakeholders discourse and decisions
6© Aad van Moorsel, Newcastle University, 2010
our involvement
1. identify human, business and technical concerns– are working on a case study in Access Management (Maciej, James,
with Geoff and Hilary from Bath)2. develop and apply mathematical modelling techniques– are generalising concepts to model human behaviour, and are
validating it with data collection (Rob, Simon, with Doug, Robin and Bill from UIUC)
– do a modelling case study in DRM (Wen)3. glue concerns, models and presentation together using a trust
economics information security ontology– developed an information security ontology, taking into account
human behavioural aspect (Simon)– made an ontology editing tool for CISOs (John)– are working on a collaborative web-based tool (John, Simon, Stefan
from SBA, Austria)4. use the models to improve the stakeholders discourse and
decision– using participatory design methodology, are working with CISOs to
do a user study (Simon, Philip and Angela from UCL)
example of the trust economics methodology
passwords
8© Aad van Moorsel, Newcastle University, 2010
Information Security Management
Find out about how users behave, what the business issues are:
CISO1: Transport is a big deal.Interviewer1: We’re trying to recognise this in our user classes. CISO1: We have engineers on the road, have lots of access, and are more gifted
in IT.Interviewer1: Do you think it would be useful to configure different user
classes?CISO1: I think it’s covered.Interviewer1: And different values, different possible consequences if a loss
occurs. I’m assuming you would want to be able to configure.CISO1: Yes. Eg. customer list might or might not be very valuable.Interviewer1: And be able to configure links with different user classes and the
assets.CISO1: Yes, if you could, absolutely.Interviewer1: We’re going to stick with defaults at first and allow
configuration if needed later. So, the costs of the password policy: running costs, helpdesk staff, trade-off of helpdesk vs. productivity
CISO1: That’s right.
9© Aad van Moorsel, Newcastle University, 2010
Information Security Management
Find out about how users behave, what the business issues are:
Discussion of "Productivity Losses":CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m
salary but bring $20m into the company. There are expense people and productivity people.
Interviewer1: We have execs, “road warrior”, office drone. Drones are just a cost.
Interviewer2: And the 3 groups have different threat scenarios.CISO2: Risk of over-complicating it, hard to work out who is income-earner and
what proportion is income earning.Interviewer2: But this is good point.CISO2: Make it parameterisable, at choice of CISO.…CISO2: So, need to be able to drill down into productivity, cost, - esp in small
company.
a model of the IT system
10
Password Policy Composition Tool
Generate Output
#upper #upper
Password Length:
i#min_length
#lower
Password Complexity:
i
Password Change Frequency:
#upper
#change_frequency
i
#lower
#upper
User PropertiesOrganisation PropertiesPolicy Properties
#upper
#char_classes
#lower
#upper #upper
Password Change Notification:
i#notif_days
#lower
Password Login Attempts:
i
#upper
#upper
#max_retries
#lower
Export Policy
File Help
Breaches / Productivity / Cost
BREACHES
Full
Composite
Partial
#
#
#
#
Productivity #
Costs #
Composite PartialFull
No.
No.
BREACHES:
[projected per annum for 100-user sample]
No.
280
175
350
280
175
350
280
175
350
tool to communicate the result to a CISO
an information security ontology incorporating
human-behavioural implications
Simon Parkin, Aad van MoorselNewcastle University, UK
Robert Coles,Bank of America Merrill Lynch
13© Aad van Moorsel, Newcastle University, 2010
trust economics ontology
• we want to have a set of tools that implement the trust economics methodology
• needs to work for different case studies• need a way to represent, maintain and interrelate
relevant information• glue between
– problem space: technical, human, business– models– interfaces
© Aad van Moorsel, Newcastle University, 2010
Using an Ontology
14
• We chose to use an ontology to address these requirements, because:– An ontology helps to formally define concepts and
taxonomies– An ontology serves as a means to share
knowledge• Potentially across different disciplines
– An ontology can relate fragments of knowledge• Identify interdependencies
15© Aad van Moorsel, Newcastle University, 2010
Business, Behaviour and Security
• Example: Password Management– There is a need to balance security and ease-of-
use– A complex password may be hard to crack, but
might also be hard to remember
• Is there a way to:– Identify our choices in these situations?– Consider the potential outcomes of our choices in
a reasoned manner?
© Aad van Moorsel, Newcastle University, 2010
Requirements
16
• Standards should be represented– Information security mechanisms are guided by policies, which are
increasingly informed by standards
• The usability and security behaviours of staff must be considered– Information assets being accessed;– The vulnerabilities that users create;– The intentional or unintentional threats user actions pose, and;– The potential process controls that may be used and their identifiable
effects
• CISOs must be able to relate ontology content to the security infrastructure they manage
– Representation of human factors and external standards should be clear, unambiguous, and illustrate interdependencies
© Aad van Moorsel, Newcastle University, 2010
Information Security Ontology
17
• We created an ontology to represent the human-behavioural implications of information security management decisions
– Makes the potential human-behavioural implications visible and comparable
• Ontology content is aligned with information security management guidelines
– We chose the ISO27002: “Code of Practice” standard– Provides a familiar context for information security managers (e.g. CISOs,
CIOs, etc.)– Formalised content is encoded in the Web Ontology Language (OWL)
• Human factors researchers and CISOs can contribute expertise within an ontology framework that connects their respective domains of knowledge
– Input from industrial partners and human factors researchers helps to make the ontology relevant and useful to prospective users
© Aad van Moorsel, Newcastle University, 2010
Ontology - Overview
18
Asset
Behavioural Foundation
Behaviour Control
Chapter
Guideline
Section
Guideline Step
Threat
Vulnerability
contains
contains
contains
hasSubject
hasVulnerability
exploitedBy
hasFoundation
managesRiskOf
Control TypehasRiskApproach
isMitigatedBy
RoleownedBy
hasStakeholder
hasSubject
1
1
1
1
*
*
*
1 1
1
1
1
1
1***
*
*
*
*
Infra. Proc.
1
1
*
hasVulnerability*
1
© Aad van Moorsel, Newcastle University, 2010
Ontology – Password Policy Example
19
ChapterNumber: 11
Name: “ Access Control”
SectionNumber: 11.3Name: “User Responsibilities”Objective: ...
GuidelineNumber: 11.3.1Name: “Password Use”Control: ...Implementation Guidance (Additional): ...Other Information: ...
Implementation Guidance Step
Number: 11.3.1 (d)Guidance: “select quality passwords with sufficient minimum length which are:1) easy to remember;...”
Single Password Memorisation Difficult
Password
hasSubject
hasVulnerability
20© Aad van Moorsel, Newcastle University, 2010
Example – Password Memorisation
KEY
mitigated by
has vulnerability
exploited by
Vulnerability
Procedural Threat
Infrastructure Threat
Behaviour Control
Asset
Control Type
Classes
Relationships
Behavioural Foundation
Threat Consequence
manages risk of
Single Password Memorisation Difficult
Single Password Forgotten
Capability
Make Password Easier To Remember
AcceptanceMaintain Password
Policy
Reduction
User temporarily without access
21© Aad van Moorsel, Newcastle University, 2010
Example – Recall Methods
KEY
mitigated by
has vulnerability
exploited by
Vulnerability
Procedural Threat
Infrastructure Threat
Behaviour Control
Asset
Control Type
Classes
Relationships
Behavioural Foundation
Threat Consequence
manages risk of
Single Password Memorisation Difficult
Password Stored Externally to Avoid Recall
Mindset
Insecure storage medium can be exploited by malicious party
Implement ISO27002 Guideline 11.3.1 (b), “avoid keeping a record of passwords”
Reduction
Educate Users in Recall Techniques
Reduction
22© Aad van Moorsel, Newcastle University, 2010
Example – Password Reset Function
Helpdesk Password Reset Management
Transfer
Single Password Memorisation Difficult
Single Password Forgotten
Capability
IT Helpdesk Cannot Satisfy Reset Request
Automated Password Reset System
Additional Helpdesk Staff
Helpdesk Busy
Password Reset Process Laborious
User temporarily without accessUser compliance diminished
Reduction
Reduction
Employee Becomes Impatient
Temporal
User temporarily without access
Helpdesk Provided With Identity Verification Details
User Account Details Stolen
Mindset
Malicious party gains access
© Aad van Moorsel, Newcastle University, 2010
Conclusions
23
• CISOs need an awareness of the human-behavioural implications of their security management decisions
• Human Factors researchers need a way to contribute their expertise and align it with concepts that are familiar to CISOs– Standards– IT infrastructure– Business processes
• We provided an ontology as a solution– Serves as a formalised base of knowledge– one piece of the Trust Economics tools
an ontology for structured systems economics
Adam BeaumentUCL, HP Labs
David PymHP Labs, University of Bath
25© Aad van Moorsel, Newcastle University, 2010
ontology to link with the models
thus far, trust economics ontology represent technology and human behavioural issues
how to glue this to the mathematical models?
26© Aad van Moorsel, Newcastle University, 2010
ontology
27© Aad van Moorsel, Newcastle University, 2010
28© Aad van Moorsel, Newcastle University, 2010
conclusion on trust economics ontology
trust economics ontology is work in progress
- added human behavioural aspects to IT security concepts
- provided an abstraction that allows IT to be represented tailored to process algebraic model
to do:- complete as well as simplify...- proof is in the pudding: someone needs to use it
in a case study
an ontology editor and a community ontology
John Mace (project student)Simon Parkin
Aad van Moorsel
Stefan FenzSBA, Austria
Stakeholders
• Chief Information Security Officers (CISOs)• Human Factors Researchers• Ontology experts
30
Current Ontology Development
• Requires use of an ontology creation tool• Graphical or text based tools• Both create machine readable ontology file from user input• User must define underlying ontology structure
31
Current Development Issues• Knowledge required of ontology development and tools• Development knowledge held by ontology experts and not those
whose knowledge requires capture• Current tools are complex and largely aimed at ontology experts• Process is time-consuming and error prone
32
how would you want to write ontology content?
<Vulnerability rdf:about="#SinglePasswordMemorisationDifficult"> <mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/> <exploitedBy rdf:resource="#SinglePasswordForgotten"/></Vulnerability>
33
Proposed Solution• A simple, intuitive tool to create/modify ontology in graphical
form• Captures knowledge of domain experts while removing need to
know of ontology construction techniques• Underlying information security ontology structure is predefined• Interactive help system and mechanisms to minimise error
34
Implementation Overview
enter content
save current diagram
load existing diagram
Ontology Editor
Chief Information Security Officer (CISO) /Human Factors Researcher (HFR)
Ontology Diagram Store Ontology File StoreJava Translation Program
ontologydiagram
ontologyfile
35
Ontology Editor
36
Adding New Concept
37
Ontology Diagram
38
Java Translation Program
Ontology Editor Ontology File StoreJava Translation Program
Java 1.5 API Xerces API OWL API
Ontology Diagram Ontology File
file savedfile created
diagram retrieved
from Temp folder
diagram saved to
Temp folder
Java libraries imported
user defined parameters
39
Ontology File• Written in machine readable Web Ontology Language OWL• Created using OWL API• File structure:
– Header– Classes– Data properties– Object properties– Individuals
40
Ontology File Example
<Vulnerability rdf:about="#SinglePasswordMemorisationDifficult"> <mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/> <exploitedBy rdf:resource="#SinglePasswordForgotten"/></Vulnerability>
41
Summary• Need for information security ontology editing tool• Proposed tool allows domain experts to develop ontology without
knowledge of ontology construction• Delivers machine readable ontology files• Simplifies development process • Allow further development of ‘base’ ontology
42
Future Developments• Ontology too large for small group to develop effectively• Vast array of knowledge held globally• Ontology development needs to be a collaborative process to be
effective• Web-oriented collaborative editing tool• Basis for 3rd year dissertation
43
user evaluation for trust economics software
Simon ParkinAad van Moorsel
Philip InglesantAngela Sasse
UCL
45© Aad van Moorsel, Newcastle University, 2010
participatory design of a trust economics tool
assume we have all pieces together:• ontology• models• CISO interfaces
what should the tool look like?
we conduct a participatory design study with CISOs from:
• ISS• UCL• National Grid
method: get wish list from CISOs, show a mock-up tool and collect feedback, improve, add model in background, try it out with CISOs, etc.
Password Policy Composition Tool
Generate Output
#upper #upper
Password Length:
i#min_length
#lower
Password Complexity:
i
Password Change Frequency:
#upper
#change_frequency
i
#lower
#upper
User PropertiesOrganisation PropertiesPolicy Properties
#upper
#char_classes
#lower
#upper #upper
Password Change Notification:
i#notif_days
#lower
Password Login Attempts:
i
#upper
#upper
#max_retries
#lower
Export Policy
File Help
Breaches / Productivity / Cost
BREACHES
Full
Composite
Partial
#
#
#
#
Productivity #
Costs #
Composite PartialFull
No.
No.
BREACHES:
[projected per annum for 100-user sample]
No.
280
175
350
280
175
350
280
175
350
tool to communicate the result to a CISO
47© Aad van Moorsel, Newcastle University, 2010
User PropertiesPolicy Properties Organisation Properties
Manned Helpdesk - No. of Staff:
Manned Helpdesk - Staff Salary: GBP
Automated Helpdesk - Annual Support Cost:
USD
Manned Helpdesk – Reset Request Completion Time:
Hrs
Automated Helpdesk – Reset Request Completion Time:
Mins
Helpdesk Strategy:
Manned Automated
CISO user interfaces
i Password Length
RELATED GUIDELINE(S)Guideline: ISO27002 - 11.3.1(d)
VULNERABILITIESVulnerability: Password entry may be observed
Threat: Password may be guessed by someoneVulnerability: Password entry may become impractical
Threat: Typographical errors result in login failureThreat: Typographical errors result in account lockoutThreat: Login entry takes too long
OK
48© Aad van Moorsel, Newcastle University, 2010
Information Security Management
Find out about how users behave, what the business issues are:
CISO1: Transport is a big deal.Interviewer1: We’re trying to recognise this in our user classes. CISO1: We have engineers on the road, have lots of access, and are more gifted
in IT.Interviewer1: Do you think it would be useful to configure different user
classes?CISO1: I think it’s covered.Interviewer1: And different values, different possible consequences if a loss
occurs. I’m assuming you would want to be able to configure.CISO1: Yes. Eg. customer list might or might not be very valuable.Interviewer1: And be able to configure links with different user classes and the
assets.CISO1: Yes, if you could, absolutely.Interviewer1: We’re going to stick with defaults at first and allow
configuration if needed later. So, the costs of the password policy: running costs, helpdesk staff, trade-off of helpdesk vs. productivity
CISO1: That’s right.
49© Aad van Moorsel, Newcastle University, 2010
Information Security Management
Find out about how users behave, what the business issues are:
Discussion of "Productivity Losses":CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m
salary but bring $20m into the company. There are expense people and productivity people.
Interviewer1: We have execs, “road warrior”, office drone. Drones are just a cost.
Interviewer2: And the 3 groups have different threat scenarios.CISO2: Risk of over-complicating it, hard to work out who is income-earner and
what proportion is income earning.Interviewer2: But this is good point.CISO2: Make it parameterisable, at choice of CISO.…CISO2: So, need to be able to drill down into productivity, cost, - esp in small
company.
example of the trust economics methodology
access management
Maciej Machulak (also funded by JISC SMART)James Turland (funded by EPSRC AMPS)
Wen Zeng (for DRM)Aad van Moorsel
Geoff DugganHilary Johnson
University of Bath
Project Description
• The SMART (Student-Managed Access to Online Resources) project will develop an online data access management system based on the User-Managed Access (UMA) Web protocol, deploy it within Newcastle University and evaluate the system through a user study.– The project team will also contribute to the
standardisation effort of the UMA protocol by actively participating in the User-Managed Access Work Group (UMA WG – charter of the Kantara Initiative)
51
Project Description - UMA
• User-Managed Access protocol – allows an individual control the authorization of data sharing and service access made between online services on the individual's behalf.
Source: http://kantarainitiative.org/confluence/display/uma/UMA+Explained52
Project Description – Objectives
• Objectives:– Define scenario for UMA use case within Higher
Education (HE) environments– Develop UMA-based authorisation solution– Deploy the UMA-based solution within Newcastle
University:• Integrate the system with institutional Web
applications• Evaluate the system through a user study
– Contribute with the scenario, software and project findings to the UMA WG and actively participate in the standardisation effort of the UMA Web protocol.
– Demonstrate, document and disseminate project outputs
53
trust economics applied to access management
• we build the application• we build models to quantify trust or CIA
properties• we investigate user interfaces and user
behaviour to input into the model
related: we also build DRM models, trading off productivity and confidentiality
54
modelling concepts and model validation
Rob Cain (funded by HP)Simon Parkin
Aad van Moorsel
Doug Eskin (funded by HP)Robin Berthier
Bill SandersUniversity of Illinois at Urbana-Champaign
project objectives
• performance models traditionally have not included human behavioural aspects in their models
• we want to have generic modelling constructs to represent human behaviour, tendencies and choices:– compliance budget– risk propensity– impact of training– role dependent behaviour
• we want to validate our models with collected data– offline data, such as from interviews– online data, measure ‘live’
• we want to optimise the data collection strategy• in some cases, it makes sense to extend our trust
economics methodology with a strategy for data collection 56
Presentation of Mobius
57
Sample Results
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1220
240
260
280
300
320
340
360
380
Without Comp Budget Feedback
Utility
HB Score
Prob of Encryption
58
Sample Mobius Results (Cont.)
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1220
240
260
280
300
320
340
360
380Using Comp Budget Feedback
Utility
HB Score
Prob of Encryption
59
Criticality of Using Data
• The goal of using data is to provide credibility to the model:– By defining and tuning input parameters
according to individual organization– By assessing the validity of prediction results
• Issues:– Numerous data sources– Collection and processing phases are expensive
and time consuming– No strategy to drive data monitoring– Mismatch between model and data that can be
collected
60
Data Collection Approach
1. Design specialized model according to requirements2. Classify potential data sources according to their cost and
quality3. Optimize collection of data according to parameter
importance4. Run data validation and execute model
ModelImportance
StakeholdersStakeholders
Data Sources
Cost / QualityCost / Quality
22
33
44
11
• Input parameter definition• Output validation• Input parameter definition• Output validation
61
Data Sources Classification
• Cost:– Cost to obtain– Time to obtain– Transparency– Legislative process
• Quality:– Accuracy– Applicability
• Importance:– Influence of parameter value on output
62
63© Aad van Moorsel, Newcastle University, 2010
Low
Medium
High
Organization Budget Parameters
input/output
Category Parameter Description Variables Influence Data Sources and Cost
in BudgetTotal security
investmentIT budget. Default is 100
medium
IT security survey (http://www.gartner.com, http://www.gocsi.com)
interview with IT directors
public gov. budget data
in BudgetTraining
investment
Training budget. Always, one-off 100
USB stick = 100, software = 0, install and maintenance = 0
low
interview with IT directors
public gov. budget data
in BudgetSupport proportion
of budget
Experimental value. Proportion of Active Security Investment used for support
high
interview with IT directors
public gov. budget data
in BudgetMonitoring
proportion of budget
Experimental value. 1 – (Support proportion of budget)
high
interview with IT directors
public gov. budget data
63
64© Aad van Moorsel, Newcastle University, 2010
input/output Category Parameter Description Variables Influence Data Sources and Cost
in User behavior
Compliance budget
Effort willing to spend conforming with security policy that doesn't benefit you.
in User behavior
Perceived benefit of task
Effort willing to put in without using compliance budget.
Generalised: understanding, investment, incentives
User survey
Overall Human Parameters
64
input/output
Category Parameter Description Variables Influence Data Sources and Cost
inCulture of organization
Prob, of leaving default password
Organization policy, user training medium
in User behavior Password strength Organization policy, user training medium
inAttacker determination
Password strength threshold
Compromised by brute force attack
Password stength, attacker determination
medium
in User behaviorPassword update frequency
Organization policy, user training medium
in User behaviorProb. of being locked out
when password is forgotten Organization policy, user training medium
in User interfaceProb. of finding lost password
efficiency of password recovery tech.
medium
in User interfaceProb. of needing support
(#support queries / #users) prob. of forgetting password medium
in User behaviorManagement reprimands
medium
in User behaviorNegative support experiences
medium
out User behaviorProb. password can be compromised
high
out Security Availability #successful data transfer high
out Security Confidentiality #exposures + #reveals high
Password: Probability of Break-in
65
data collection research
four sub problems:• determine which data is needed to validate the
model:– provide input parameter values– validate output parameters
• technical implementation of the data collection• optimize data collection such that cost is within a
certain bound: need to find the important parameters and trade off with cost of collecting it
• add data collection to the trust economics methodology:– a data collection strategy will be associated with
the use of a model
66
© Aad van Moorsel, Newcastle University, 2010
conclusion
67
trust economics research in Newcastle:• ontology for human behavioural aspects, incl. editor
and community version• tool design with CISOs• modelling: DRM and Access Management• data collection strategies for validation
work to be done:• generic ontology for trust economics, underlying the
tools• actual tool building• evaluation of the methodology
and formulate a publication strategy
68© Aad van Moorsel, Newcastle University, 2010
trust economics info
http://www.trust-economics.org/Publications:• An Information Security Ontology Incorporating Human-Behavioural Implications. Simon Parkin,
Aad van Moorsel, Robert Coles. International Conference on Security of Information and Networks, 2009• Risk Modelling of Access Control Policies with Human-Behavioural Factors. Simon Parkin and Aad
van Moorsel. International Workshop on Performability Modeling of Computer and Communication Systems, 2009.
• A Knowledge Base for Justified Information Security Decision-Making. Daria Stepanova, Simon Parkin, Aad van Moorsel. International Conference on Software and Data Technologies, 2009.
• Architecting Dependable Access Control Systems for Multi-Domain Computing Environments. Maciej Machulak, Simon Parkin, Aad van Moorsel. Architecting Dependable Systems VI, R. De Lemos, J. Fabre C. Gacek, F. Gadducci and M. ter Beek (Eds.), Springer, LNCS 5835, pp. 49—75, 2009.
• Trust Economics Feasibility Study. Robert Coles, Jonathan Griffin, Hilary Johnson, Brian Monahan, Simon Parkin, David Pym, Angela Sasse and Aad van Moorsel. Workshop on Resilience Assessment and Dependability Benchmarking, 2008.
• The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies. Simon Parkin, Rouaa Yassin-Kassab and Aad van Moorsel. International Service Availability Symposium, 2008.
Technical reports:• Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications.
Maciej Machulak, Aad van Moorsel. CS-TR 1191, 2010• Ontology Editing Tool for Information Security and Human Factors Experts. John Mace, Simon
Parkin, Aad van Moorsel. CS-TR 1172, 2009• Use Cases for User-Centric Access Control for the Web, Maciej Machulak, Aad van Moorsel. CS-TR
1165, 2009 • A Novel Approach to Access Control for the Web. Maciej Machulak, Aad van Moorsel. CS-TR 1157, 2009• Proceedings of the First Trust Economics Workshop. Philip Inglesant, Maciej Machulak, Simon Parkin,
Aad van Moorsel, Julian Williams (Eds.). CS-TR 1153, 2009.• A Trust-economic Perspective on Information Security Technologies. Simon Parkin, Aad van Moorsel.
CS-TR 1056, 2007