Information Security Decision Making
advertisement
Newcastle, UK March 9, 2010 Trust Economics Aad van Moorsel Newcastle University, UK aad.vanmoorsel@ncl.ac.uk outline (in randomized order) 1. trust economics methodology 2. the research parts: • soliciting human, technical and business aspects • models • ontologies • user interfaces 3. examples • passwords and compliance budget • digital rights management • access management © Aad van Moorsel, Newcastle University, 2010 2 trust economics methodology trust economics methodology for security decisions trade off: legal issues, human tendencies, business concerns, ... a model of the information system © Aad van Moorsel, Newcastle University, 2010 stakeholders discuss 4 trust economics research from the trust economics methodology, the following research follows: 1. identify human, business and technical concerns 2. develop and apply mathematical modelling techniques 3. glue concerns, models and presentation together using a trust economics information security ontology 4. use the models to improve the stakeholders discourse and decisions © Aad van Moorsel, Newcastle University, 2010 5 our involvement 1. – 2. – – 3. – – – 4. – identify human, business and technical concerns are working on a case study in Access Management (Maciej, James, with Geoff and Hilary from Bath) develop and apply mathematical modelling techniques are generalising concepts to model human behaviour, and are validating it with data collection (Rob, Simon, with Doug, Robin and Bill from UIUC) do a modelling case study in DRM (Wen) glue concerns, models and presentation together using a trust economics information security ontology developed an information security ontology, taking into account human behavioural aspect (Simon) made an ontology editing tool for CISOs (John) are working on a collaborative web-based tool (John, Simon, Stefan from SBA, Austria) use the models to improve the stakeholders discourse and decision using participatory design methodology, are working with CISOs to do a user study (Simon, Philip and Angela from UCL) © Aad van Moorsel, Newcastle University, 2010 6 example of the trust economics methodology passwords Information Security Management Find out about how users behave, what the business issues are: CISO1: Transport is a big deal. Interviewer1: We’re trying to recognise this in our user classes. CISO1: We have engineers on the road, have lots of access, and are more gifted in IT. Interviewer1: Do you think it would be useful to configure different user classes? CISO1: I think it’s covered. Interviewer1: And different values, different possible consequences if a loss occurs. I’m assuming you would want to be able to configure. CISO1: Yes. Eg. customer list might or might not be very valuable. Interviewer1: And be able to configure links with different user classes and the assets. CISO1: Yes, if you could, absolutely. Interviewer1: We’re going to stick with defaults at first and allow configuration if needed later. So, the costs of the password policy: running costs, helpdesk staff, trade-off of helpdesk vs. productivity CISO1: That’s right. © Aad van Moorsel, Newcastle University, 2010 8 Information Security Management Find out about how users behave, what the business issues are: Discussion of "Productivity Losses": CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m salary but bring $20m into the company. There are expense people and productivity people. Interviewer1: We have execs, “road warrior”, office drone. Drones are just a cost. Interviewer2: And the 3 groups have different threat scenarios. CISO2: Risk of over-complicating it, hard to work out who is income-earner and what proportion is income earning. Interviewer2: But this is good point. CISO2: Make it parameterisable, at choice of CISO. … CISO2: So, need to be able to drill down into productivity, cost, - esp in small company. © Aad van Moorsel, Newcastle University, 2010 9 a model of the IT system 10 Password Policy Composition Tool File Help Breaches / Productivity / Cost tool to communicate the result to a CISO [projected per annum for 100-user sample] BREACHES # Full # Composite # Partial # Productivity # Costs # BREACHES: Composite Policy Properties ss 3 350 Cla Cla ss 1 280 Cla Password Change Notification: #upper i upper #upper # #min_length #upper i #notif_days #lower #lower Password Login Attempts: Password Complexity: i #upper # # ss 2 175 No. ss 3 350 Cla Organisation Properties User Properties Password Length: upper #upper # Partial Cla ss 2 175 ss 1 280 Cla Cla ss 3 350 ss 2 175 Cla Cla ss 1 280 No. No. Full i #upper char_classes max_retries # lower # lower Password Change Frequency: #upper i #change_frequency #lower Generate Output Export Policy an information security ontology incorporating human-behavioural implications Simon Parkin, Aad van Moorsel Newcastle University, UK Robert Coles, Bank of America Merrill Lynch trust economics ontology • we want to have a set of tools that implement the trust economics methodology • needs to work for different case studies • need a way to represent, maintain and interrelate relevant information • glue between – problem space: technical, human, business – models – interfaces © Aad van Moorsel, Newcastle University, 2010 13 Using an Ontology • We chose to use an ontology to address these requirements, because: – An ontology helps to formally define concepts and taxonomies – An ontology serves as a means to share knowledge • Potentially across different disciplines – An ontology can relate fragments of knowledge • Identify interdependencies © Aad van Moorsel, Newcastle University, 2010 14 Business, Behaviour and Security • Example: Password Management – There is a need to balance security and ease-of-use – A complex password may be hard to crack, but might also be hard to remember • Is there a way to: – Identify our choices in these situations? – Consider the potential outcomes of our choices in a reasoned manner? © Aad van Moorsel, Newcastle University, 2010 15 Requirements • Standards should be represented – Information security mechanisms are guided by policies, which are increasingly informed by standards • The usability and security behaviours of staff must be considered – – – – Information assets being accessed; The vulnerabilities that users create; The intentional or unintentional threats user actions pose, and; The potential process controls that may be used and their identifiable effects • CISOs must be able to relate ontology content to the security infrastructure they manage – Representation of human factors and external standards should be clear, unambiguous, and illustrate interdependencies © Aad van Moorsel, Newcastle University, 2010 16 Information Security Ontology • We created an ontology to represent the human-behavioural implications of information security management decisions – Makes the potential human-behavioural implications visible and comparable • Ontology content is aligned with information security management guidelines – We chose the ISO27002: “Code of Practice” standard – Provides a familiar context for information security managers (e.g. CISOs, CIOs, etc.) – Formalised content is encoded in the Web Ontology Language (OWL) • Human factors researchers and CISOs can contribute expertise within an ontology framework that connects their respective domains of knowledge – Input from industrial partners and human factors researchers helps to make the ontology relevant and useful to prospective users © Aad van Moorsel, Newcastle University, 2010 17 Ontology - Overview Infra. Chapter Proc. 1 1 hasFoundation Behavioural Foundation Threat exploitedBy 1 1 managesRiskOf contains * * Behaviour Control Section 1 * * hasRiskApproach 1 * Guideline Control Type 1 * hasVulnerability hasStakeholder Vulnerability * hasSubject contains * Guideline Step 1 isMitigatedBy contains 1 1 * * hasSubject * hasVulnerability 1 * Asset 1 1 1 ownedBy © Aad van Moorsel, Newcastle University, 2010 Role 18 Ontology – Password Policy Example Chapter Single Password Memorisation Difficult Number: 11 Name: “ Access Control” hasVulnerability Section Number: 11.3 Name: “User Responsibilities” Objective: ... Password Guideline Number: 11.3.1 Name: “Password Use” Control: ... Implementation Guidance (Additional): ... Other Information: ... hasSubject Implementation Guidance Step Number: 11.3.1 (d) Guidance: “select quality passwords with sufficient minimum length which are: 1) easy to remember; ...” © Aad van Moorsel, Newcastle University, 2010 19 Example – Password Memorisation KEY Classes Vulnerability Procedural Threat Single Password Memorisation Difficult Acceptance Capability Maintain Password Policy Single Password Forgotten Behavioural Foundation Infrastructure Threat Behaviour Control Asset Control Type User temporarily without access Reduction Make Password Easier To Remember Threat Consequence Relationships mitigated by has vulnerability exploited by manages risk of © Aad van Moorsel, Newcastle University, 2010 20 Example – Recall Methods Single Password Memorisation Difficult KEY Classes Vulnerability Procedural Threat Behavioural Foundation Reduction Educate Users in Recall Techniques Infrastructure Threat Behaviour Control Asset Mindset Password Stored Externally to Avoid Recall Insecure storage medium can be exploited by malicious party Control Type Threat Consequence Relationships mitigated by has vulnerability Reduction Implement ISO27002 Guideline 11.3.1 (b), “avoid keeping a record of passwords” © Aad van Moorsel, Newcastle University, 2010 exploited by manages risk of 21 Example – Password Reset Function Single Password Memorisation Difficult Transfer Helpdesk Password Reset Management User temporarily without access Capability Reduction Helpdesk Provided With Identity Verification Details Single Password Forgotten Password Reset Process Laborious Automated Password Reset System Temporal Mindset Helpdesk Busy Employee Becomes Impatient User compliance diminished Reduction User Account Details Stolen Malicious party gains access IT Helpdesk Cannot Satisfy Reset Request Additional Helpdesk Staff © Aad van Moorsel, Newcastle University, 2010 User temporarily without access 22 Conclusions • CISOs need an awareness of the humanbehavioural implications of their security management decisions • Human Factors researchers need a way to contribute their expertise and align it with concepts that are familiar to CISOs – Standards – IT infrastructure – Business processes • We provided an ontology as a solution – Serves as a formalised base of knowledge – one piece of the Trust Economics tools © Aad van Moorsel, Newcastle University, 2010 23 an ontology for structured systems economics Adam Beaument UCL, HP Labs David Pym HP Labs, University of Bath ontology to link with the models thus far, trust economics ontology represent technology and human behavioural issues how to glue this to the mathematical models? © Aad van Moorsel, Newcastle University, 2010 25 ontology © Aad van Moorsel, Newcastle University, 2010 26 © Aad van Moorsel, Newcastle University, 2010 27 conclusion on trust economics ontology trust economics ontology is work in progress - added human behavioural aspects to IT security concepts - provided an abstraction that allows IT to be represented tailored to process algebraic model to do: - complete as well as simplify... - proof is in the pudding: someone needs to use it in a case study © Aad van Moorsel, Newcastle University, 2010 28 an ontology editor and a community ontology John Mace (project student) Simon Parkin Aad van Moorsel Stefan Fenz SBA, Austria Stakeholders • Chief Information Security Officers (CISOs) • Human Factors Researchers • Ontology experts 30 Current Ontology Development • • • • Requires use of an ontology creation tool Graphical or text based tools Both create machine readable ontology file from user input User must define underlying ontology structure 31 Current Development Issues • Knowledge required of ontology development and tools • Development knowledge held by ontology experts and not those whose knowledge requires capture • Current tools are complex and largely aimed at ontology experts • Process is time-consuming and error prone 32 how would you want to write ontology content? <Vulnerability rdf:about="#SinglePasswordMemorisationDifficult"> <mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/> <exploitedBy rdf:resource="#SinglePasswordForgotten"/> </Vulnerability> 33 Proposed Solution • A simple, intuitive tool to create/modify ontology in graphical form • Captures knowledge of domain experts while removing need to know of ontology construction techniques • Underlying information security ontology structure is predefined • Interactive help system and mechanisms to minimise error 34 Implementation Overview Chief Information Security Officer (CISO) / Human Factors Researcher (HFR) enter content load existing diagram Ontology Diagram Store ontology diagram save current diagram Java Translation Program Ontology Editor 35 ontology file Ontology File Store Ontology Editor 36 Adding New Concept 37 Ontology Diagram 38 Java Translation Program Ontology Diagram diagram saved to Temp folder Ontology File diagram retrieved from Temp folder file saved file created user defined parameters Java Translation Program Ontology Editor Ontology File Store Java libraries imported Java 1.5 API Xerces API OWL API 39 Ontology File • Written in machine readable Web Ontology Language OWL • Created using OWL API • File structure: – Header – Classes – Data properties – Object properties – Individuals 40 Ontology File Example <Vulnerability rdf:about="#SinglePasswordMemorisationDifficult"> <mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/> <exploitedBy rdf:resource="#SinglePasswordForgotten"/> </Vulnerability> 41 Summary • Need for information security ontology editing tool • Proposed tool allows domain experts to develop ontology without knowledge of ontology construction • Delivers machine readable ontology files • Simplifies development process • Allow further development of ‘base’ ontology 42 Future Developments • Ontology too large for small group to develop effectively • Vast array of knowledge held globally • Ontology development needs to be a collaborative process to be effective • Web-oriented collaborative editing tool • Basis for 3rd year dissertation 43 user evaluation for trust economics software Simon Parkin Aad van Moorsel Philip Inglesant Angela Sasse UCL participatory design of a trust economics tool assume we have all pieces together: • ontology • models • CISO interfaces what should the tool look like? we conduct a participatory design study with CISOs from: • ISS • UCL • National Grid method: get wish list from CISOs, show a mock-up tool and collect feedback, improve, add model in background, try it out with CISOs, etc. © Aad van Moorsel, Newcastle University, 2010 45 Password Policy Composition Tool File Help Breaches / Productivity / Cost tool to communicate the result to a CISO [projected per annum for 100-user sample] BREACHES # Full # Composite # Partial # Productivity # Costs # BREACHES: Composite Policy Properties ss 3 350 Cla Cla ss 1 280 Cla Password Change Notification: #upper i upper #upper # #min_length #upper i #notif_days #lower #lower Password Login Attempts: Password Complexity: i #upper # # ss 2 175 No. ss 3 350 Cla Organisation Properties User Properties Password Length: upper #upper # Partial Cla ss 2 175 ss 1 280 Cla Cla ss 3 350 ss 2 175 Cla Cla ss 1 280 No. No. Full i #upper char_classes max_retries # lower # lower Password Change Frequency: #upper i #change_frequency #lower Generate Output Export Policy CISO user interfaces Policy Properties Organisation Properties User Properties Manned Helpdesk - No. of Staff: Manned Helpdesk - Staff Salary: Automated Helpdesk Annual Support Cost: Manned Helpdesk – Reset Request Completion Time: Automated Helpdesk – Reset Request Completion Time: GBP USD Hrs Mins Helpdesk Strategy: Manned Automated i Password Length RELATED GUIDELINE(S) Guideline: ISO27002 - 11.3.1(d) VULNERABILITIES Vulnerability: Password entry may be observed Threat: Password may be guessed by someone Vulnerability: Password entry may become impractical Threat: Typographical errors result in login failure Threat: Typographical errors result in account lockout Threat: Login entry takes too long OK © Aad van Moorsel, Newcastle University, 2010 47 Information Security Management Find out about how users behave, what the business issues are: CISO1: Transport is a big deal. Interviewer1: We’re trying to recognise this in our user classes. CISO1: We have engineers on the road, have lots of access, and are more gifted in IT. Interviewer1: Do you think it would be useful to configure different user classes? CISO1: I think it’s covered. Interviewer1: And different values, different possible consequences if a loss occurs. I’m assuming you would want to be able to configure. CISO1: Yes. Eg. customer list might or might not be very valuable. Interviewer1: And be able to configure links with different user classes and the assets. CISO1: Yes, if you could, absolutely. Interviewer1: We’re going to stick with defaults at first and allow configuration if needed later. So, the costs of the password policy: running costs, helpdesk staff, trade-off of helpdesk vs. productivity CISO1: That’s right. © Aad van Moorsel, Newcastle University, 2010 48 Information Security Management Find out about how users behave, what the business issues are: Discussion of "Productivity Losses": CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m salary but bring $20m into the company. There are expense people and productivity people. Interviewer1: We have execs, “road warrior”, office drone. Drones are just a cost. Interviewer2: And the 3 groups have different threat scenarios. CISO2: Risk of over-complicating it, hard to work out who is income-earner and what proportion is income earning. Interviewer2: But this is good point. CISO2: Make it parameterisable, at choice of CISO. … CISO2: So, need to be able to drill down into productivity, cost, - esp in small company. © Aad van Moorsel, Newcastle University, 2010 49 example of the trust economics methodology access management Maciej Machulak (also funded by JISC SMART) James Turland (funded by EPSRC AMPS) Wen Zeng (for DRM) Aad van Moorsel Geoff Duggan Hilary Johnson University of Bath Project Description • The SMART (Student-Managed Access to Online Resources) project will develop an online data access management system based on the User-Managed Access (UMA) Web protocol, deploy it within Newcastle University and evaluate the system through a user study. – The project team will also contribute to the standardisation effort of the UMA protocol by actively participating in the User-Managed Access Work Group (UMA WG – charter of the Kantara Initiative) 51 Project Description - UMA • User-Managed Access protocol – allows an individual control the authorization of data sharing and service access made between online services on the individual's behalf. Source: http://kantarainitiative.org/confluence/display/uma/UMA+Explained 52 Project Description – Objectives • Objectives: – Define scenario for UMA use case within Higher Education (HE) environments – Develop UMA-based authorisation solution – Deploy the UMA-based solution within Newcastle University: • Integrate the system with institutional Web applications • Evaluate the system through a user study – Contribute with the scenario, software and project findings to the UMA WG and actively participate in the standardisation effort of the UMA Web protocol. – Demonstrate, document and disseminate project outputs 53 trust economics applied to access management • we build the application • we build models to quantify trust or CIA properties • we investigate user interfaces and user behaviour to input into the model related: we also build DRM models, trading off productivity and confidentiality 54 modelling concepts and model validation Rob Cain (funded by HP) Simon Parkin Aad van Moorsel Doug Eskin (funded by HP) Robin Berthier Bill Sanders University of Illinois at Urbana-Champaign project objectives • performance models traditionally have not included human behavioural aspects in their models • we want to have generic modelling constructs to represent human behaviour, tendencies and choices: – compliance budget – risk propensity – impact of training – role dependent behaviour • we want to validate our models with collected data – offline data, such as from interviews – online data, measure ‘live’ • we want to optimise the data collection strategy • in some cases, it makes sense to extend our trust economics methodology with a strategy for data collection 56 Presentation of Mobius 57 Sample Results Without Comp Budget Feedback 380 360 340 320 Utility 300 HB Score 280 260 240 220 0 0.1 0.2 0.3 0.4 0.5 0.6 Prob of Encryption 58 0.7 0.8 0.9 1 Sample Mobius Results (Cont.) Using Comp Budget Feedback 380 360 340 320 Utility 300 HB Score 280 260 240 220 0 0.1 0.2 0.3 0.4 0.5 0.6 Prob of Encryption 59 0.7 0.8 0.9 1 Criticality of Using Data • The goal of using data is to provide credibility to the model: – By defining and tuning input parameters according to individual organization – By assessing the validity of prediction results • Issues: – Numerous data sources – Collection and processing phases are expensive and time consuming – No strategy to drive data monitoring – Mismatch between model and data that can be collected 60 Data Collection Approach Stakeholders 1 2 Data Sources Cost / Quality Model Importance 3 4 1. 2. 3. 4. • • Input parameter definition Output validation Design specialized model according to requirements Classify potential data sources according to their cost and quality Optimize collection of data according to parameter importance Run data validation and execute model 61 Data Sources Classification • Cost: – Cost to obtain – Time to obtain – Transparency – Legislative process • Quality: – Accuracy – Applicability • Importance: – Influence of parameter value on output 62 Organization Budget Parameters input/o Category utput Parameter Description Variables Influence Data Sources and Cost IT security survey (http://www.gartner.com, http://www.gocsi.com) in Budget Total security investment IT budget. Default is 100 medium interview with IT directors public gov. budget data in in in Budget Training investment Training budget. Always, one-off 100 USB stick = 100, software = 0, install and maintenance = 0 Experimental value. Proportion Support proportion of Active Security Budget of budget Investment used for support Budget Low Medium High Monitoring proportion of budget interview with IT directors low public gov. budget data interview with IT directors high public gov. budget data Experimental value. 1 – (Support proportion of budget) interview with IT directors high public gov. budget data © Aad van Moorsel, Newcastle University, 63 2010 63 Overall Human Parameters input/ output in in Category User behavior User behavior Parameter Description Compliance budget Effort willing to spend conforming with security policy that doesn't benefit you. Perceived benefit of task Effort willing to put in without using compliance budget. Variables Influence Generalised: understanding, investment, incentives © Aad van Moorsel, Newcastle University, 64 2010 64 Data Sources and Cost User survey Password: Probability of Break-in input/ou tput Category Parameter in Culture of organization in User behavior Password strength in Attacker Password strength determination threshold in User behavior Password update frequency in User behavior in Description Prob, of leaving default password Variables Influence Organization policy, user training medium Organization policy, user training medium Password stength, attacker determination medium Organization policy, user training medium Prob. of being locked out when password is forgotten Organization policy, user training medium User interface Prob. of finding lost password efficiency of password recovery tech. medium in User interface Prob. of needing support (#support queries / #users) prob. of forgetting password medium in User behavior Management reprimands medium in User behavior Negative support experiences medium out User behavior Prob. password can be compromised out Security Availability #successful data transfer high out Security Confidentiality #exposures + #reveals high Compromised by brute force attack high 65 Data Sources and Cost data collection research four sub problems: • determine which data is needed to validate the model: – provide input parameter values – validate output parameters • technical implementation of the data collection • optimize data collection such that cost is within a certain bound: need to find the important parameters and trade off with cost of collecting it • add data collection to the trust economics methodology: – a data collection strategy will be associated with the use of a model 66 conclusion trust economics research in Newcastle: • ontology for human behavioural aspects, incl. editor and community version • tool design with CISOs • modelling: DRM and Access Management • data collection strategies for validation work to be done: • generic ontology for trust economics, underlying the tools • actual tool building • evaluation of the methodology and formulate a publication strategy © Aad van Moorsel, Newcastle University, 2010 67 trust economics info http://www.trust-economics.org/ Publications: • An Information Security Ontology Incorporating Human-Behavioural Implications. Simon Parkin, Aad van Moorsel, Robert Coles. International Conference on Security of Information and Networks, 2009 • Risk Modelling of Access Control Policies with Human-Behavioural Factors. Simon Parkin and Aad van Moorsel. International Workshop on Performability Modeling of Computer and Communication Systems, 2009. • A Knowledge Base for Justified Information Security Decision-Making. Daria Stepanova, Simon Parkin, Aad van Moorsel. International Conference on Software and Data Technologies, 2009. • Architecting Dependable Access Control Systems for Multi-Domain Computing Environments. Maciej Machulak, Simon Parkin, Aad van Moorsel. Architecting Dependable Systems VI, R. De Lemos, J. Fabre C. Gacek, F. Gadducci and M. ter Beek (Eds.), Springer, LNCS 5835, pp. 49—75, 2009. • Trust Economics Feasibility Study. Robert Coles, Jonathan Griffin, Hilary Johnson, Brian Monahan, Simon Parkin, David Pym, Angela Sasse and Aad van Moorsel. Workshop on Resilience Assessment and Dependability Benchmarking, 2008. • The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies. Simon Parkin, Rouaa Yassin-Kassab and Aad van Moorsel. International Service Availability Symposium, 2008. Technical reports: • Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications. Maciej Machulak, Aad van Moorsel. CS-TR 1191, 2010 • Ontology Editing Tool for Information Security and Human Factors Experts. John Mace, Simon Parkin, Aad van Moorsel. CS-TR 1172, 2009 • Use Cases for User-Centric Access Control for the Web, Maciej Machulak, Aad van Moorsel. CS-TR 1165, 2009 • A Novel Approach to Access Control for the Web. Maciej Machulak, Aad van Moorsel. CS-TR 1157, 2009 • Proceedings of the First Trust Economics Workshop. Philip Inglesant, Maciej Machulak, Simon Parkin, Aad van Moorsel, Julian Williams (Eds.). CS-TR 1153, 2009. • A Trust-economic Perspective on Information Security Technologies. Simon Parkin, Aad van Moorsel. CS-TR 1056, 2007 © Aad van Moorsel, Newcastle University, 2010 68
