trust economics newcastle, uk march 9, 2010 aad van moorsel newcastle university, uk...

Trust Economics

New

cast

le, U

K M

arc

h 9

, 2

01

0

Aad van MoorselNewcastle University, UK

[email protected]

mailto:[email protected]

2© Aad van Moorsel, Newcastle University, 2010

outline (in randomized order)

1.trust economics methodology

2.the research parts:• soliciting human, technical and business

aspects• models• ontologies• user interfaces

3.examples• passwords and compliance budget• digital rights management• access management

trust economics methodology

© Aad van Moorsel, Newcastle University, 2010

trust economics methodology for security decisions

4

stakeholdersdiscuss

a modelof the information

system

trade off:legal issues,human tendencies,business concerns,...


trust economics research

from the trust economics methodology, the following research follows:

1. identify human, business and technical concerns

2. develop and apply mathematical modelling techniques

3. glue concerns, models and presentation together using a trust economics information security ontology

4. use the models to improve the stakeholders discourse and decisions


our involvement

1. identify human, business and technical concerns– are working on a case study in Access Management (Maciej, James,

with Geoff and Hilary from Bath)2. develop and apply mathematical modelling techniques– are generalising concepts to model human behaviour, and are

validating it with data collection (Rob, Simon, with Doug, Robin and Bill from UIUC)

– do a modelling case study in DRM (Wen)3. glue concerns, models and presentation together using a trust

economics information security ontology– developed an information security ontology, taking into account

human behavioural aspect (Simon)– made an ontology editing tool for CISOs (John)– are working on a collaborative web-based tool (John, Simon, Stefan

from SBA, Austria)4. use the models to improve the stakeholders discourse and

decision– using participatory design methodology, are working with CISOs to

do a user study (Simon, Philip and Angela from UCL)

example of the trust economics methodology

passwords


Information Security Management

Find out about how users behave, what the business issues are:

CISO1: Transport is a big deal.Interviewer1: We’re trying to recognise this in our user classes. CISO1: We have engineers on the road, have lots of access, and are more gifted

in IT.Interviewer1: Do you think it would be useful to configure different user

classes?CISO1: I think it’s covered.Interviewer1: And different values, different possible consequences if a loss

occurs. I’m assuming you would want to be able to configure.CISO1: Yes. Eg. customer list might or might not be very valuable.Interviewer1: And be able to configure links with different user classes and the

assets.CISO1: Yes, if you could, absolutely.Interviewer1: We’re going to stick with defaults at first and allow

configuration if needed later. So, the costs of the password policy: running costs, helpdesk staff, trade-off of helpdesk vs. productivity

CISO1: That’s right.




Discussion of "Productivity Losses":CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m

salary but bring $20m into the company. There are expense people and productivity people.

Interviewer1: We have execs, “road warrior”, office drone. Drones are just a cost.

Interviewer2: And the 3 groups have different threat scenarios.CISO2: Risk of over-complicating it, hard to work out who is income-earner and

what proportion is income earning.Interviewer2: But this is good point.CISO2: Make it parameterisable, at choice of CISO.…CISO2: So, need to be able to drill down into productivity, cost, - esp in small

company.

a model of the IT system

10

Password Policy Composition Tool

Generate Output

#upper #upper

Password Length:

i#min_length

#lower

Password Complexity:

i

Password Change Frequency:

#upper

#change_frequency

i

#lower

#upper

User PropertiesOrganisation PropertiesPolicy Properties

#upper

#char_classes

#lower

#upper #upper

Password Change Notification:

i#notif_days

#lower

Password Login Attempts:

i

#upper

#upper

#max_retries

#lower

Export Policy

File Help

Breaches / Productivity / Cost

BREACHES

Full

Composite

Partial

#

#

#

#

Productivity #

Costs #

Composite PartialFull

No.

No.

BREACHES:

[projected per annum for 100-user sample]

No.

280

175

350

280

175

350

280

175

350

tool to communicate the result to a CISO

an information security ontology incorporating

human-behavioural implications

Simon Parkin, Aad van MoorselNewcastle University, UK

Robert Coles,Bank of America Merrill Lynch


trust economics ontology

• we want to have a set of tools that implement the trust economics methodology

• needs to work for different case studies• need a way to represent, maintain and interrelate

relevant information• glue between

– problem space: technical, human, business– models– interfaces


Using an Ontology

14

• We chose to use an ontology to address these requirements, because:– An ontology helps to formally define concepts and

taxonomies– An ontology serves as a means to share

knowledge• Potentially across different disciplines

– An ontology can relate fragments of knowledge• Identify interdependencies


Business, Behaviour and Security

• Example: Password Management– There is a need to balance security and ease-of-

use– A complex password may be hard to crack, but

might also be hard to remember

• Is there a way to:– Identify our choices in these situations?– Consider the potential outcomes of our choices in

a reasoned manner?


Requirements

16

• Standards should be represented– Information security mechanisms are guided by policies, which are

increasingly informed by standards

• The usability and security behaviours of staff must be considered– Information assets being accessed;– The vulnerabilities that users create;– The intentional or unintentional threats user actions pose, and;– The potential process controls that may be used and their identifiable

effects

• CISOs must be able to relate ontology content to the security infrastructure they manage

– Representation of human factors and external standards should be clear, unambiguous, and illustrate interdependencies


Information Security Ontology

17

• We created an ontology to represent the human-behavioural implications of information security management decisions

– Makes the potential human-behavioural implications visible and comparable

• Ontology content is aligned with information security management guidelines

– We chose the ISO27002: “Code of Practice” standard– Provides a familiar context for information security managers (e.g. CISOs,

CIOs, etc.)– Formalised content is encoded in the Web Ontology Language (OWL)

• Human factors researchers and CISOs can contribute expertise within an ontology framework that connects their respective domains of knowledge

– Input from industrial partners and human factors researchers helps to make the ontology relevant and useful to prospective users


Ontology - Overview

18

Asset

Behavioural Foundation

Behaviour Control

Chapter

Guideline

Section

Guideline Step

Threat

Vulnerability

contains

contains

contains

hasSubject

hasVulnerability

exploitedBy

hasFoundation

managesRiskOf

Control TypehasRiskApproach

isMitigatedBy

RoleownedBy

hasStakeholder

hasSubject

1

1

1

1

*

*

*

1 1

1

1

1

1

1***

*

*

*

*

Infra. Proc.

1

1

*

hasVulnerability*

1


Ontology – Password Policy Example

19

ChapterNumber: 11

Name: “ Access Control”

SectionNumber: 11.3Name: “User Responsibilities”Objective: ...

GuidelineNumber: 11.3.1Name: “Password Use”Control: ...Implementation Guidance (Additional): ...Other Information: ...

Implementation Guidance Step

Number: 11.3.1 (d)Guidance: “select quality passwords with sufficient minimum length which are:1) easy to remember;...”

Single Password Memorisation Difficult

Password

hasSubject

hasVulnerability


Example – Password Memorisation

KEY

mitigated by

has vulnerability

exploited by

Vulnerability

Procedural Threat

Infrastructure Threat

Behaviour Control

Asset

Control Type

Classes

Relationships


Threat Consequence

manages risk of


Single Password Forgotten

Capability

Make Password Easier To Remember

AcceptanceMaintain Password

Policy

Reduction

User temporarily without access


Example – Recall Methods

KEY

mitigated by

has vulnerability

exploited by

Vulnerability

Procedural Threat

Infrastructure Threat

Behaviour Control

Asset

Control Type

Classes

Relationships


Threat Consequence

manages risk of


Password Stored Externally to Avoid Recall

Mindset

Insecure storage medium can be exploited by malicious party

Implement ISO27002 Guideline 11.3.1 (b), “avoid keeping a record of passwords”

Reduction

Educate Users in Recall Techniques

Reduction


Example – Password Reset Function

Helpdesk Password Reset Management

Transfer


Single Password Forgotten

Capability

IT Helpdesk Cannot Satisfy Reset Request

Automated Password Reset System

Additional Helpdesk Staff

Helpdesk Busy

Password Reset Process Laborious

User temporarily without accessUser compliance diminished

Reduction

Reduction

Employee Becomes Impatient

Temporal

User temporarily without access

Helpdesk Provided With Identity Verification Details

User Account Details Stolen

Mindset

Malicious party gains access


Conclusions

23

• CISOs need an awareness of the human-behavioural implications of their security management decisions

• Human Factors researchers need a way to contribute their expertise and align it with concepts that are familiar to CISOs– Standards– IT infrastructure– Business processes

• We provided an ontology as a solution– Serves as a formalised base of knowledge– one piece of the Trust Economics tools

an ontology for structured systems economics

Adam BeaumentUCL, HP Labs

David PymHP Labs, University of Bath


ontology to link with the models

thus far, trust economics ontology represent technology and human behavioural issues

how to glue this to the mathematical models?


ontology


conclusion on trust economics ontology

trust economics ontology is work in progress

- added human behavioural aspects to IT security concepts

- provided an abstraction that allows IT to be represented tailored to process algebraic model

to do:- complete as well as simplify...- proof is in the pudding: someone needs to use it

in a case study

an ontology editor and a community ontology

John Mace (project student)Simon Parkin

Aad van Moorsel

Stefan FenzSBA, Austria

Stakeholders

• Chief Information Security Officers (CISOs)• Human Factors Researchers• Ontology experts

30

Current Ontology Development

• Requires use of an ontology creation tool• Graphical or text based tools• Both create machine readable ontology file from user input• User must define underlying ontology structure

31

Current Development Issues• Knowledge required of ontology development and tools• Development knowledge held by ontology experts and not those

whose knowledge requires capture• Current tools are complex and largely aimed at ontology experts• Process is time-consuming and error prone

32

how would you want to write ontology content?

<Vulnerability rdf:about="#SinglePasswordMemorisationDifficult"> <mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/> <exploitedBy rdf:resource="#SinglePasswordForgotten"/></Vulnerability>

33

Proposed Solution• A simple, intuitive tool to create/modify ontology in graphical

form• Captures knowledge of domain experts while removing need to

know of ontology construction techniques• Underlying information security ontology structure is predefined• Interactive help system and mechanisms to minimise error

34

Implementation Overview

enter content

save current diagram

load existing diagram

Ontology Editor

Chief Information Security Officer (CISO) /Human Factors Researcher (HFR)

Ontology Diagram Store Ontology File StoreJava Translation Program

ontologydiagram

ontologyfile

35

Ontology Editor

36

Adding New Concept

37

Ontology Diagram

38

Java Translation Program

Ontology Editor Ontology File StoreJava Translation Program

Java 1.5 API Xerces API OWL API

Ontology Diagram Ontology File

file savedfile created

diagram retrieved

from Temp folder

diagram saved to

Temp folder

Java libraries imported

user defined parameters

39

Ontology File• Written in machine readable Web Ontology Language OWL• Created using OWL API• File structure:

– Header– Classes– Data properties– Object properties– Individuals

40

Ontology File Example

<Vulnerability rdf:about="#SinglePasswordMemorisationDifficult"> <mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/> <exploitedBy rdf:resource="#SinglePasswordForgotten"/></Vulnerability>

41

Summary• Need for information security ontology editing tool• Proposed tool allows domain experts to develop ontology without

knowledge of ontology construction• Delivers machine readable ontology files• Simplifies development process • Allow further development of ‘base’ ontology

42

Future Developments• Ontology too large for small group to develop effectively• Vast array of knowledge held globally• Ontology development needs to be a collaborative process to be

effective• Web-oriented collaborative editing tool• Basis for 3rd year dissertation

43

user evaluation for trust economics software

Simon ParkinAad van Moorsel

Philip InglesantAngela Sasse

UCL


participatory design of a trust economics tool

assume we have all pieces together:• ontology• models• CISO interfaces

what should the tool look like?

we conduct a participatory design study with CISOs from:

• ISS• UCL• National Grid

method: get wish list from CISOs, show a mock-up tool and collect feedback, improve, add model in background, try it out with CISOs, etc.

Password Policy Composition Tool

Generate Output

#upper #upper

Password Length:

i#min_length

#lower

Password Complexity:

i

Password Change Frequency:

#upper

#change_frequency

i

#lower

#upper

User PropertiesOrganisation PropertiesPolicy Properties

#upper

#char_classes

#lower

#upper #upper

Password Change Notification:

i#notif_days

#lower

Password Login Attempts:

i

#upper

#upper

#max_retries

#lower

Export Policy

File Help

Breaches / Productivity / Cost

BREACHES

Full

Composite

Partial

#

#

#

#

Productivity #

Costs #

Composite PartialFull

No.

No.

BREACHES:

[projected per annum for 100-user sample]

No.

280

175

350

280

175

350

280

175

350

tool to communicate the result to a CISO


User PropertiesPolicy Properties Organisation Properties

Manned Helpdesk - No. of Staff:

Manned Helpdesk - Staff Salary: GBP

Automated Helpdesk - Annual Support Cost:

USD

Manned Helpdesk – Reset Request Completion Time:

Hrs

Automated Helpdesk – Reset Request Completion Time:

Mins

Helpdesk Strategy:

Manned Automated

CISO user interfaces

i Password Length

RELATED GUIDELINE(S)Guideline: ISO27002 - 11.3.1(d)

VULNERABILITIESVulnerability: Password entry may be observed

Threat: Password may be guessed by someoneVulnerability: Password entry may become impractical

Threat: Typographical errors result in login failureThreat: Typographical errors result in account lockoutThreat: Login entry takes too long

OK




CISO1: Transport is a big deal.Interviewer1: We’re trying to recognise this in our user classes. CISO1: We have engineers on the road, have lots of access, and are more gifted

in IT.Interviewer1: Do you think it would be useful to configure different user

classes?CISO1: I think it’s covered.Interviewer1: And different values, different possible consequences if a loss

occurs. I’m assuming you would want to be able to configure.CISO1: Yes. Eg. customer list might or might not be very valuable.Interviewer1: And be able to configure links with different user classes and the

assets.CISO1: Yes, if you could, absolutely.Interviewer1: We’re going to stick with defaults at first and allow

configuration if needed later. So, the costs of the password policy: running costs, helpdesk staff, trade-off of helpdesk vs. productivity

CISO1: That’s right.




Discussion of "Productivity Losses":CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m

salary but bring $20m into the company. There are expense people and productivity people.

Interviewer1: We have execs, “road warrior”, office drone. Drones are just a cost.

Interviewer2: And the 3 groups have different threat scenarios.CISO2: Risk of over-complicating it, hard to work out who is income-earner and

what proportion is income earning.Interviewer2: But this is good point.CISO2: Make it parameterisable, at choice of CISO.…CISO2: So, need to be able to drill down into productivity, cost, - esp in small

company.

example of the trust economics methodology

access management

Maciej Machulak (also funded by JISC SMART)James Turland (funded by EPSRC AMPS)

Wen Zeng (for DRM)Aad van Moorsel

Geoff DugganHilary Johnson

University of Bath

Project Description

• The SMART (Student-Managed Access to Online Resources) project will develop an online data access management system based on the User-Managed Access (UMA) Web protocol, deploy it within Newcastle University and evaluate the system through a user study.– The project team will also contribute to the

standardisation effort of the UMA protocol by actively participating in the User-Managed Access Work Group (UMA WG – charter of the Kantara Initiative)

51

Project Description - UMA

• User-Managed Access protocol – allows an individual control the authorization of data sharing and service access made between online services on the individual's behalf.

Source: http://kantarainitiative.org/confluence/display/uma/UMA+Explained52

Project Description – Objectives

• Objectives:– Define scenario for UMA use case within Higher

Education (HE) environments– Develop UMA-based authorisation solution– Deploy the UMA-based solution within Newcastle

University:• Integrate the system with institutional Web

applications• Evaluate the system through a user study

– Contribute with the scenario, software and project findings to the UMA WG and actively participate in the standardisation effort of the UMA Web protocol.

– Demonstrate, document and disseminate project outputs

53

trust economics applied to access management

• we build the application• we build models to quantify trust or CIA

properties• we investigate user interfaces and user

behaviour to input into the model

related: we also build DRM models, trading off productivity and confidentiality

54

modelling concepts and model validation

Rob Cain (funded by HP)Simon Parkin

Aad van Moorsel

Doug Eskin (funded by HP)Robin Berthier

Bill SandersUniversity of Illinois at Urbana-Champaign

project objectives

• performance models traditionally have not included human behavioural aspects in their models

• we want to have generic modelling constructs to represent human behaviour, tendencies and choices:– compliance budget– risk propensity– impact of training– role dependent behaviour

• we want to validate our models with collected data– offline data, such as from interviews– online data, measure ‘live’

• we want to optimise the data collection strategy• in some cases, it makes sense to extend our trust

economics methodology with a strategy for data collection 56

Presentation of Mobius

57

Sample Results

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1220

240

260

280

300

320

340

360

380

Without Comp Budget Feedback

Utility

HB Score

Prob of Encryption

58

Sample Mobius Results (Cont.)

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1220

240

260

280

300

320

340

360

380Using Comp Budget Feedback

Utility

HB Score

Prob of Encryption

59

Criticality of Using Data

• The goal of using data is to provide credibility to the model:– By defining and tuning input parameters

according to individual organization– By assessing the validity of prediction results

• Issues:– Numerous data sources– Collection and processing phases are expensive

and time consuming– No strategy to drive data monitoring– Mismatch between model and data that can be

collected

60

Data Collection Approach

1. Design specialized model according to requirements2. Classify potential data sources according to their cost and

quality3. Optimize collection of data according to parameter

importance4. Run data validation and execute model

ModelImportance

StakeholdersStakeholders

Data Sources

Cost / QualityCost / Quality

22

33

44

11

• Input parameter definition• Output validation• Input parameter definition• Output validation

61

Data Sources Classification

• Cost:– Cost to obtain– Time to obtain– Transparency– Legislative process

• Quality:– Accuracy– Applicability

• Importance:– Influence of parameter value on output

62


Low

Medium

High

Organization Budget Parameters

input/output

Category Parameter Description Variables Influence Data Sources and Cost

in BudgetTotal security

investmentIT budget. Default is 100

medium

IT security survey (http://www.gartner.com, http://www.gocsi.com)

interview with IT directors

public gov. budget data

in BudgetTraining

investment

Training budget. Always, one-off 100

USB stick = 100, software = 0, install and maintenance = 0

low



in BudgetSupport proportion

of budget

Experimental value. Proportion of Active Security Investment used for support

high



in BudgetMonitoring

proportion of budget

Experimental value. 1 – (Support proportion of budget)

high



63


input/output Category Parameter Description Variables Influence Data Sources and Cost

in User behavior

Compliance budget

Effort willing to spend conforming with security policy that doesn't benefit you.

in User behavior

Perceived benefit of task

Effort willing to put in without using compliance budget.

Generalised: understanding, investment, incentives

User survey

Overall Human Parameters

64

input/output

Category Parameter Description Variables Influence Data Sources and Cost

inCulture of organization

Prob, of leaving default password

Organization policy, user training medium

in User behavior Password strength Organization policy, user training medium

inAttacker determination

Password strength threshold

Compromised by brute force attack

Password stength, attacker determination

medium

in User behaviorPassword update frequency

Organization policy, user training medium

in User behaviorProb. of being locked out

when password is forgotten Organization policy, user training medium

in User interfaceProb. of finding lost password

efficiency of password recovery tech.

medium

in User interfaceProb. of needing support

(#support queries / #users) prob. of forgetting password medium

in User behaviorManagement reprimands

medium

in User behaviorNegative support experiences

medium

out User behaviorProb. password can be compromised

high

out Security Availability #successful data transfer high

out Security Confidentiality #exposures + #reveals high

Password: Probability of Break-in

65

data collection research

four sub problems:• determine which data is needed to validate the

model:– provide input parameter values– validate output parameters

• technical implementation of the data collection• optimize data collection such that cost is within a

certain bound: need to find the important parameters and trade off with cost of collecting it

• add data collection to the trust economics methodology:– a data collection strategy will be associated with

the use of a model

66


conclusion

67

trust economics research in Newcastle:• ontology for human behavioural aspects, incl. editor

and community version• tool design with CISOs• modelling: DRM and Access Management• data collection strategies for validation

work to be done:• generic ontology for trust economics, underlying the

tools• actual tool building• evaluation of the methodology

and formulate a publication strategy


trust economics info

http://www.trust-economics.org/Publications:• An Information Security Ontology Incorporating Human-Behavioural Implications. Simon Parkin,

Aad van Moorsel, Robert Coles. International Conference on Security of Information and Networks, 2009• Risk Modelling of Access Control Policies with Human-Behavioural Factors. Simon Parkin and Aad

van Moorsel. International Workshop on Performability Modeling of Computer and Communication Systems, 2009.

• A Knowledge Base for Justified Information Security Decision-Making. Daria Stepanova, Simon Parkin, Aad van Moorsel. International Conference on Software and Data Technologies, 2009.

• Architecting Dependable Access Control Systems for Multi-Domain Computing Environments. Maciej Machulak, Simon Parkin, Aad van Moorsel. Architecting Dependable Systems VI, R. De Lemos, J. Fabre C. Gacek, F. Gadducci and M. ter Beek (Eds.), Springer, LNCS 5835, pp. 49—75, 2009.

• Trust Economics Feasibility Study. Robert Coles, Jonathan Griffin, Hilary Johnson, Brian Monahan, Simon Parkin, David Pym, Angela Sasse and Aad van Moorsel. Workshop on Resilience Assessment and Dependability Benchmarking, 2008.

• The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies. Simon Parkin, Rouaa Yassin-Kassab and Aad van Moorsel. International Service Availability Symposium, 2008.

Technical reports:• Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications.

Maciej Machulak, Aad van Moorsel. CS-TR 1191, 2010• Ontology Editing Tool for Information Security and Human Factors Experts. John Mace, Simon

Parkin, Aad van Moorsel. CS-TR 1172, 2009• Use Cases for User-Centric Access Control for the Web, Maciej Machulak, Aad van Moorsel. CS-TR

1165, 2009 • A Novel Approach to Access Control for the Web. Maciej Machulak, Aad van Moorsel. CS-TR 1157, 2009• Proceedings of the First Trust Economics Workshop. Philip Inglesant, Maciej Machulak, Simon Parkin,

Aad van Moorsel, Julian Williams (Eds.). CS-TR 1153, 2009.• A Trust-economic Perspective on Information Security Technologies. Simon Parkin, Aad van Moorsel.

CS-TR 1056, 2007

http://www.trust-economics.org/

trust economics newcastle, uk march 9, 2010 aad van moorsel newcastle university, uk...

Documents

trust economics newcastle

trust economics research

business concerns

security decisions

user study simon

technical concerns

different user classes

information system