Security: It’s all about motivation!
Einar Snekkenes
Professor
Gjøvik University College
1
Overview
• Security objectives
• Context establishment/ World view • Transition to people focus/motivation
• The role of risk analysis • Motivation – the model + Schwartz values
• Trade‐offs in decision making
• CIRA: Connecting risk and motivation
• Conclusion – have I convinced you?
2
Security Objectives
• Internal/local
• Integrity
• Confidentiality
• Availability
• External
• Compliance
3
ECO system dependencies
4
Information system service delivery chain elements
• Physical location
•
•
•
•
Building
Geographic area
Environment
...
• The service
•
•
•
Staff
Operations procedures
...
• Knowledge and theories on which sw/hw is based
• Software:
•
•
•
•
•
Application/ system services
Core operating systems
Development systems/compilers, Version control systems
...
• Hardware ‐ built from large range of complex chips •
•
•
•
•
•
•
•
PC’s,
Servers,
Disks
Routers,
Switches
Modems CELL phones
...
• Trustworthy platform/OS
Relies on
• Requirements capture
• Design
• Library management
• Programming
• Compilation
• Version control
• ...
• CHIPS
•
•
•
•
processors
communication controllers
peripheral controllers (e.g. USB)
...
5
Computing value chain – suppliers
6
https://blog.hubspot.com/blog/tabid/6307/bid/1180/If‐Clayton‐Christiansen‐were‐running‐Apple‐Computer‐then.aspx
Farm to table
Source: duoliphotography.com
7
Supply chain attack –
locations Source: MITRE
8
Discontinuity and complexity of information systems
• Small changes (1 bit) may have serious consequences both for
• Input data
• Software
• SW systems – typical size: 100K ‐ 100M SLOC 9
Trusted computing base – dependencies
• What is the minimum requirements that will have to be put on each of our suppliers/ used products/ services in order for objectives to be fulfilled?
• Given the size and complexity of the value chain and TCB, is direct code analysis/validation realistic?
10
Our concern – incidents – root causes
• Equipment
• Acquired from others, but built and constructed by people.
• Process
• Established by people – previously
• People
• So its all about people...
11
What to do – can we build on a ‘trend’?
• Code validation – the thing
• Process – how the thing is made
• Motivation ‐ what drives us to make the thing in a certain way ???
• Idea: handle increased complexity by increasing the abstraction level/ indirectness of our focus
12
Framing of risk
Kuypers (Rhetorical Criticism: Perspectives in Action)
Frames operate in four key ways: they 1.
2.
3.
4.
Define problems – classical PRA/ expected value Diagnose causes ‐ CIRA & Motivational analysis of subjects
Make moral judgments – Feelings & Doing the ‘right’ thing
Suggest remedies – Security baseline
13
Risk Analysis in context
Risk management
14
Risk management & Risk analysis in a GT perspective
• Risk analysis objective
• Are we ‘happy’ with the current situation?
•  GT: Are we in equilibrium?
• Risk management objective
• Decide what has to be done to stay ‘happy’.
• Make sure it is done
• Check that we are ‘happy’.
•  GT: Mechanism design and/or ‘Solving’ a game
15
Motivation – the model
• Given a decision situation (i.e. options)
• perceived impact on personal needs and values • will strongly influence your choice.
16
A note on scope
• Only include conscious and strategic behaviour
• Some may say: «Then a lot is left out .»
• But in ‘legalese’ one sometimes say
«... knew or should have known...»
• If you ... that you could be a victim, in most cases you can decide how/if non‐strategic actions/events are to be handled‐ and THAT is a strategic choice – i.e. within scope.
• CLAIM: Restricting our attention to strategic behaviour leaves very little out. 17
Values as motivators From: Schwartz, Shalom H. "An overview of the Schwartz theory of basic values. "Online Readings in Psychology and Culture 2.1 (2012): 11.
18
Motivation ‐ Choices
• ‘White‐hat hacker’ vs self assessment
• Release of software known to have bugs (document readers)
• Prioritize resources for recovery rather than prevention
• Short vs long term profit
• Usability/efficiency VS security robustness
• Business opportunity vs privacy/regulatory compliance (privacy)
• Operational convenience VS legal compliance (security services).
• Perceived VS actual performance (pollution, automotive industry)
• Functionality vs dependability
19
Conflicting Incentives Risk Analysis
CIRA Concepts
Risk is always subjective
Risk owner
Strategy owner
Perceived utility
Risk: The extent to which the perceived utility of strategy owner and risk owner are misaligned.
• Threat risk
•
•
•
•
•
• Moral hazard ‐ Strategy owner can inflict negative externalities on the risk owner
• Opportunity risk
• Strategy owner is incentivized not to act as to yield risk owner a positive perceived utility.
20
Q2
CIRA Risk visualization
21
Reflections
• Risk is subjective. My risk is different from your risk. One man’s breath, another’s death.
• References to ‘threat actor’ is stigmatizing and undermines the objective of a risk analysis. The so called ‘good’ is attributed excessive trust and the ‘bad’ get to much blame – e.g. Snowden.
• Occasionally, legitimate organizations and government organizations are known to break rules and regulations – e.g. insider issues and miscarriage of justice.
•  abandon the term ‘treat actor’ ‐ frame the situation objectively, as conflicting interests, and use neutral terms. E.g. IRS attempts to break privacy legislations relating to toll road vehicle timing data.
• The risk analysis process will be improved if focus on understanding motivation and incentives rather than referring to probabilities.
22
Conclusion
Security is primarily about • Identification of • Dependencies, • Stakeholders, • Their motivation – and • Modification of stakeholder value perceptions
• Such as to ensure that strategy owner motivation is aligned with risk owner value perceptions.
23
Questions?
PhD grant @HIG
• Conflicting Incentives Risk Analysis for Internet of Things in a Critical Infrastructure Context
• For further information, please contact
• einar.snekkenes@hig.no
24