SERENE Spring School, Birkbeck College, UK April 14, 2010
Tools to Make Objective
Information Security Decisions
—
The Trust Economics Methodology
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@ncl.ac.uk
motivation
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
security and trust
data loss
http://www.youtube.com/watch?v=JCyAwYv0Ly0
identity theft
http://www.youtube.com/watch?v=CS9ptA3Ya9E
worms
http://www.youtube.com/watch?v=YqMt7aNBTq8
http://www.informationweek.com/news/software/showArti
cle.jhtml?articleID=221400323
© Aad van Moorsel, Newcastle University, 2010
3
security and trust
security:
protection of a system against malicious attacks
information security:
preservation of confidentiality, integrity and availability of
information
CIA properties
• confidentiality
• integrity
• availability
© Aad van Moorsel, Newcastle University, 2010
4
why metrics and why quantification?
two uses:
• gives the ability to monitor the quality of a system as it is
being used (using measurement)
• gives the ability to predict for the future the quality of a
design or a system (using modelling)
a good metric is critical to make measurement and modelling
useful
© Aad van Moorsel, Newcastle University, 2010
5
security and trust
trust: a personal, subjective perception of the quality of a
system or personal, subjective decision to rely on a system
evaluation trust: the subjective probability by which an
individual A expects that another individual B performs a
given action on which A’s welfare depends (Gambetta
1988)
decision trust: the willingness to depend on something or
somebody in a given situation with a feeling of relative
security, even though negative consequences are possible
(McKnight and Chervany 1996)
© Aad van Moorsel, Newcastle University, 2010
6
security and trust
what is more important,
security or trust?
“Security Theatre and
Balancing Risks” (Bruce
Schneier)
http://www.cato.org/dail
ypodcast/podcastarchive.php?podcast_id=8
12
© Aad van Moorsel, Newcastle University, 2010
7
defining the problem space:
ontology of security
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
ontologies
• a collection of interrelated terms and concepts
that describe and model a domain
• used for knowledge sharing and reuse
• provide machine-understandable meaning to data
• expressed in a formal ontology language (e.g. OWL,
DAML+OIL)
© Aad van Moorsel, Newcastle University, 2010
9
ontology features
• common understanding of a domain
– formally describes concepts and their relationships
– supports consistent treatment of information
– reduces misunderstandings
• explicit semantics
– machine understandable descriptions of terms and their
relationships
– allows expressive statements to be made about domain
– reduces interpretation ambiguity
– enables interoperability
© Aad van Moorsel, Newcastle University, 2010
10
ontology features (cont.)
• expressiveness
– ontologies built using expressive languages
– languages able to represent formal semantics
– enable human and software interpretation and
reasoning
• sharing information
– information can be shared, used and reused
– supported by explicit semantics
– applications can interoperate through a shared
understanding of information
© Aad van Moorsel, Newcastle University, 2010
11
ontology example
© Aad van Moorsel, Newcastle University, 2010
12
ontology structure
• ontologies describe data semantics
• express semantics by:
– defining information representation building
blocks
– describe relationships between building blocks
– describe relationships within building blocks
• building blocks are classes, individuals and
properties
© Aad van Moorsel, Newcastle University, 2010
13
ontology structure (cont.)
• classes
– represent groups of object instances with similar
properties
– related to object class concept in OO programming
– general statements can be made to include all of a
class’ member objects at once
• individuals
– represent class object instances
– similar to objects in OO programming but do not have
associated functionality
© Aad van Moorsel, Newcastle University, 2010
14
ontology structure (cont.)
• properties
–
–
–
–
–
associate an individual to a value
values can be simple data values or an object
individuals may have multiple properties
similar to accessor methods in OO programming
can be associated with multiple unrelated classes
leading to reusability of property descriptions
© Aad van Moorsel, Newcastle University, 2010
15
relating information
• need to describe relationships between classes,
individuals and properties
• the most important relationships are:
– individual to class “is an instance of”
– individual to property “has value of”
– restrictions between classes and properties
• individual to class
– relationship between an individual and its owning class
must be explicitly stated
– supports identification of a class’ members
© Aad van Moorsel, Newcastle University, 2010
16
relating information (cont.)
• individual to property
– individuals have values described by properties
– relationship allows the specification of values for
particular attributes of the individual
• restrictions between classes and properties
– can define which classes have which properties
– can constrain property values to be of a certain class
(range) or to only describe particular classes (domain)
© Aad van Moorsel, Newcastle University, 2010
17
core information security ontology elements
• information assets being accessed
– information that is of value to the organisation, which
individuals interact with and which must be secured to
retain its value
• the vulnerabilities that users create
– within IT infrastructure, but also within the processes that
a ‘user’ may partake in
• the intentional or unintentional threats user actions pose
– not just to IT infrastructure, but to process security and
productivity
• the potential process controls that may be used and their
identifiable effects
– these may be technical, but also actions within a business
process
• this formalised content is then encoded in an ontology
– represented in the Web Ontology Language (OWL)
© Aad van Moorsel, Newcastle University, 2010
18
security ontology: relationships
Fentz, ASIACCS’09, Formalizing Information Security Knowledge
© Aad van Moorsel, Newcastle University, 2010
19
security ontology: concepts
Fentz, ASIACCS’09, Formalizing Information Security Knowledge
© Aad van Moorsel, Newcastle University, 2010
20
security ontology: example of fire threat
Fentz, ASIACCS’09, Formalizing Information Security Knowledge
© Aad van Moorsel, Newcastle University, 2010
21
base metrics
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
objective
• understand the basis metrics important when assessing IT
systems
© Aad van Moorsel, Newcastle University, 2010
23
classifying metrics (part one)
quantitative vs. qualitative: quantitative metrics can be
expressed through some number, while qualitative metrics
are concerned with TRUE or FALSE
quality-of-service (QoS) metrics: express a grade of service
as a quantitative metric
non-functional properties are system properties beyond the
strictly necessary functional properties
IT management is mostly about quantitative/QoS/nonfunctional
© Aad van Moorsel, Newcastle University, 2010
24
common metrics (performance)
response time, waiting time, propagation delay:
user
request
arrival
at server
buffer
start
processing server
response
reply
received
by user
time
propagation
delay
waiting
time
proc.
time
propagation
delay
response time
(server perspective)
response time
(client perspective)
© Aad van Moorsel, Newcastle University, 2010
25
quantitative metrics
if you measure a metric several time, you will not always (or
always not) get the exact same result
metrics can be represented as random variables X, which
has characteristics such as mean, standard deviation,
variance and distribution
also for response time: mean response time, variance of the
response time, distribution of the response time
in next section we see how to derive these characteristics
given a set of measurement data
© Aad van Moorsel, Newcastle University, 2010
26
classifying metrics (part two)
performance metrics: timing and usage metrics
• CPU load
• throughput
• response time
dependability or reliability metrics: metrics related to accidental
failure
• MTTF
• availability
• reliability
security metrics: metrics related to malicious failures (attacks)
• ?
business metrics: metrics related to cost or benefits
• number of buy transaction in web site
• cost of ownership
• return on investment
© Aad van Moorsel, Newcastle University, 2010
27
common metrics (performance)
throughput = number of tasks a resource can complete per
time unit:
• jobs per second
• requests per second
• millions of instructions per second (MIPS)
• floating point operations per second (FLOPS)
• packets per second
• kilo-bits per second (Kbps)
• transactions per second
• ...
© Aad van Moorsel, Newcastle University, 2010
28
common metrics (performance)
capacity = maximum sustainable number of tasks
load = offered number of tasks
overload = load is higher than capacity
utilization = the fraction of resource capacity in use (CPU,
bandwidth);
for a CPU, this corresponds to the fraction of time the
resource is busy (some times imprecisely called the CPU
load)
© Aad van Moorsel, Newcastle University, 2010
29
relation between performance metrics
utilization versus response time, throughput and load:
overload
utilization
response time
1
utilization
0
1
load
throughput
0
0
utilization
1
© Aad van Moorsel, Newcastle University, 2010
30
common metrics (dependability/reliability)
systems with failures:
repair
operating
failure
failure
up
repair
failed
down
time
© Aad van Moorsel, Newcastle University, 2010
31
common metrics (dependability/reliability)
Mean Time To Failure (MTTF)
= average length up time period
Mean Time To Repair (MTTR)
= average length down time period
availability
= fraction of time system is up
= fraction up time
= MTTF / (MTTF + MTTR)
unavailability
= 1 – availability
= fraction up time
reliability at time t
= probability the system does not go down before t
© Aad van Moorsel, Newcastle University, 2010
32
relation between dependability metrics
availability and associated yearly down time:
availability
yearly down time
0.9
37 days
0.99
4 days
0.999
9 hours
0.9999
50 minutes
0.99999
5 minutes
© Aad van Moorsel, Newcastle University, 2010
33
relation between dependability metrics
if you have a system with 1 day MTTF and 1 hour MTTR,
would you work on the repair time or the failure time to
improve the availability?
availability
required MTTF
if MTTR = 1 hour
required MTTR
if MTTF = 1 day
0.96
0.99
0.999
0.9999
0.99999
1 day
4 days
6 weeks
14 months
11 years
1 hour
14 minutes
1½ minutes
9 seconds
1 second
© Aad van Moorsel, Newcastle University, 2010
34
five nines
© Aad van Moorsel, Newcastle University, 2010
35
conclusion
discussed the basis metrics important when managing IT
systems:
• performance metrics: throughput, utilization, response
time
• dependability metrics: availability, MTTF, MTTR
• security metrics
• business metrics
© Aad van Moorsel, Newcastle University, 2010
36
security metrics
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
measure security
Lord Kelvin:
“what you cannot measure, you cannot manage”
how true is this:
• in science?
• in engineering?
• in business?
and how true is:
“we only manage what we measure”?
© Aad van Moorsel, Newcastle University, 2010
38
some related areas: performance
measuring performance:
• we know CPU speed (and Intel measured it)
• we can easily measure sustained load (throughput)
• we can reasonably okay model for performance (queuing,
simulations)
• we’re pretty good in adapting systems for performance,
through load balancing etc.
• there is a TOP 500 for supercomputers
• we buy PCs based on performance, and their performance
is advertised
• companies buy equipment based on performance
© Aad van Moorsel, Newcastle University, 2010
39
some related areas: availability
measuring availability:
• we do not know much about CPU reliability (although Intel
measures it)
• it is easy, but time consuming to measure down time
• we can reasonably okay model for availability (Markov
chains), although we do not know parameter values for
fault and failure occurrences
• we’re rather basic in adapting systems for availability, but
there are various fault tolerance mechanisms
• there is no TOP 500 for reliable computers
• we do not buy PCs based on availability, and their
availability is rarely advertised
• companies buy equipment based on availability only for
top end applications (e.g. goods and finances admin of
super market chains)
© Aad van Moorsel, Newcastle University, 2010
40
how about security
measuring security:
• we do not know much about level of CPU security (and
Intel does not know how to measure it)
• it is possible to measure security breaches, but how much
do they tell you?
• we do not know how to model for levels of security, for
instance we do not know what attacks look like
• we’re only just starting to research adapting systems for
security—there sure are many security mechanisms
available
• there is no TOP 500 for secure computers
• we do not buy PCs based on privacy or security, and their
privacy/security is rarely advertised
• companies are very concerned about security, but do not
know how to measure it and show improvements
© Aad van Moorsel, Newcastle University, 2010
41
what’s special about security
security is a hybrid between functional and non-functional
(performance/availability) property
• it is tempting to think security is binary: it is secured or
not  common mistake
• security deals with loss and attacks
– you can measure after the fact, but would like to
predict
– maybe loss can still be treated like accidental failures
(as in availability)
– attacks certainly require knowledge of attackers, how
they act, when they act, what they will invent
• security level (even if we somehow divined it) is
meaningless:
– what’s the possible consequence
– how do people react to it (risk averse?)
© Aad van Moorsel, Newcastle University, 2010
42
how do people now measure security?
reporting after the fact:
• industry and government are obligated to report breaches
(NIST database and others)
• measure how many non-spam email went through, etc.
some predictive metrics as ‘substitute’ for security:
• how many CPU cycles needed to break encryption
technique?
• risk analysis: likelihood X impact, summed for all breaches
 but we know neither likelihood nor impact
© Aad van Moorsel, Newcastle University, 2010
43
why is measurable security important?
without good measures
• security is sold as all or nothing
• security purchase decisions are based on scare tactics
• system configuration (including cloud, SaaS) cannot be
judged for resulting security
© Aad van Moorsel, Newcastle University, 2010
44
CIA metrics
how about CIA
confidentiality: keep organisation’s data confidential
(privacy for the organisation)
integrity: data is unaltered
availability: data is available for use
• you can score them, and sum them up (see CVSS later)
• you can measure for integrity and availability if there is
centralized control
• you cannot easily predict them
© Aad van Moorsel, Newcastle University, 2010
45
good metrics
in practice, good metrics should be:
• consistently measured, without subjective criteria
• cheap to gather, preferably in an automated way
• a cardinal number or percentage, not qualitative labels
• using at least one unit of measure (defects, hours, ...)
• contextually specific—relevant enough to make decisions
from Jaquith’s book ‘Security Metrics’
© Aad van Moorsel, Newcastle University, 2010
46
good metrics
in practice, metrics cover four different aspects:
• perimeter defenses
– # spam detected, # virus detected
• coverage and control
– # laptops with antivirus software, # patches per month
• availability and reliability
– host uptime, help desk response time
• application risks
– vulnerabilities per application, assessment frequence for
an application
from Jaquith’s book ‘Security Metrics’
© Aad van Moorsel, Newcastle University, 2010
47
good metrics
how good do you think the metrics from Jaquith’s book
‘Security Metrics’ are?
it’s the best we can do now, but as the next slide shows,
there are a lot of open issues
© Aad van Moorsel, Newcastle University, 2010
48
good metrics
ideally good metrics should:
• not measure the process used to design, implement or
manage the system, but the system itself
• not depend on things you will never know (such as in risk
management)
• be predictive about the future security, not just reporting
the past
but these are very challenging properties we do not yet
know how to deliver
© Aad van Moorsel, Newcastle University, 2010
49
trust metrics
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
trust
trust [Gambetta]:
“expectation of an actor (trustor) that another
actor (trustee) will emit certain behavior,
in a context where the trustor may not be able to
monitor the trustee,
and where outcome of a social phenomenon
involving the trustor is dependent on that
behavior of the trustee”
© Aad van Moorsel, Newcastle University, 2010
51
trust: very complex notion
© Aad van Moorsel, Newcastle University, 2010
52
trust
trust is needed when uncertainty exists, either because
– something is not known, or
– one does not trust the source of the info
uncertainty in online transactions:
– the customer cannot monitor the provider
– the customer does not believe the legal institutions in a
different country will act honestly in case of disputes
– the customer does not believe a technological claim,
e.g., transactional properties
uncertainty may even exist when a proof is given: why
believe the proof is correct?
© Aad van Moorsel, Newcastle University, 2010
53
trust
uncertainty may even exist when a proof is given:
why believe the proof is correct?
that is, uncertainty is in the eye of the beholder
so, per definition, no technology solution exists for
trust
note furthermore:
‘trust is cheap, security is expensive’
‘the more trust exists, the less security is needed’
© Aad van Moorsel, Newcastle University, 2010
54
trust
no technology solution exists for trust
but we still can work toward improving trust
let us look at trust in cloud, where cooperation
between parties leads to business interactions
to establish cooperation, trust is needed  study
cooperation, tools to establish cooperation are
trust enablers
theory of Axelrod
© Aad van Moorsel, Newcastle University, 2010
55
how does trust develop?
© Aad van Moorsel, Newcastle University, 2010
56
Axelrod on cooperation
mutuality of preferences:
cooperation is beneficial for all
shadow of the future:
if one does not cooperate, it may hurt later
sanctioning:
if one does not cooperate, other parties (legal
institutions, mafia, ...) will sanction
© Aad van Moorsel, Newcastle University, 2010
57
how does trust develop?
© Aad van Moorsel, Newcastle University, 2010
58
Scott on institutions
to achieve Axelrod’s incentives, we use institutions:
constraints on behaviour of participating parties
• a legal institution can be expected to deter parties from
interactions that are against the law (‘regulative
institutions’)
• a norm from society or parents will influence how parties
behave (‘normative institutions’)
• the expectation that all parties are in it to make money
will restrict choices (‘cognitive institutions’)
© Aad van Moorsel, Newcastle University, 2010
59
Scott on institutions
© Aad van Moorsel, Newcastle University, 2010
60
technological institutions
for online interactions, technology also constrains behaviour
technological institutions
examples:
• a dedicated communication link instead of WWW reduces
uncertainty
• encryption reduces danger of losing important information
(perhaps at the cost of performance jitter)
• automated contract and non-repudiation
• automated agent-based negotiation
• ...
© Aad van Moorsel, Newcastle University, 2010
61
removing uncertainty through institutions
all states
states impossible
because of they would
not be economically
rational
states impossible
because of laws
© Aad van Moorsel, Newcastle University, 2010
states impossible
because technology
does not support
them
62
one party’s view, including (dis)trust
all states
remaining states
from one party’s
perspective
© Aad van Moorsel, Newcastle University, 2010
63
cooperation
a party will participate if it believes there are
beneficial states
a party will remain participating as long as the
states remain beneficial (can be relaxed)
a market will remain functioning if
– overlap in states for participating parties
– states will remain in overlap area
© Aad van Moorsel, Newcastle University, 2010
64
conclusion
an institutional framework for trust in cloud and
other online interactions
agents may implement state machines
– depicts the state the agent believes to be in
– determine the next action to take
basis for middleware for trust (uncertaintytolerance)
© Aad van Moorsel, Newcastle University, 2010
65
web of trust and
reputation systems
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
trust and reputation
reputation is a believe about a person’s (or thing’s)
character or standing (Jøsang, 2009)
could call it ‘trust in dependability of someone or
something’
so: reputation of B = expected [dependability trust
in B]
a quantitative metric!
© Aad van Moorsel, Newcastle University, 2010
67
trust and reputation
reputation is a believe about a person’s (or thing’s) character or
standing (Jøsang, 2009)
characteristics:
• reputation is public
• reputation is shared, but not necessarily adopted by all people
(they might not ‘trust’ the reputation number)
reputation is the trust level reported by someone else (person A),
but you may decide:
1. you do not trust the judgement of A
2. you do not trust the honesty of A
so you can have:
• I trust you despite your bad reputation
• I trust you because of your good reputation
© Aad van Moorsel, Newcastle University, 2010
68
security and trust
from Jøsang, IFIPTM 2009
• add cost to this figure
• at productivity loss to this figure
• at emergence of new applications to this figure
© Aad van Moorsel, Newcastle University, 2010
69
is trust transitive?
from Jøsang, IFIPTM 2009
© Aad van Moorsel, Newcastle University, 2010
70
PGP: Pretty Good Privacy
PGP is an asymmetric key solution:
-
symmetric: we share a password
asymmetric: we each have a public and a private
password, and only share the public one
use of asymmetric keys:
1. signing: I use my private key to encrypt a document 
everyone can use my public key to decrypt it, but if the
decryption succeeds, it is proof it came from me
2. encryption: I use your public key to encrypt a document
 only your private key can decrypt it
© Aad van Moorsel, Newcastle University, 2010
71
PGP: Pretty Good Privacy
can we trust in PGP?
main issue: if you give me your public key, why
should I trust it comes from you and has not been
tampered with?
solutions:
1. PKI: Public Key Infrastructure
2. Web of Trust (PGP’s solution)
© Aad van Moorsel, Newcastle University, 2010
72
PKI Certification Authority
Certification Authority (CA) assures the identity of the
owner of a public key
if you want a private/public key pair, you go to the CA
• it checks who you are and what kind of trust people can
place in you
• all your details and the public key are put in a public key
certificate
• you receive the public key certificate and the
private/public key pair
when you send the public key certificate to someone, the
person can check with the CA if you are who you say you
are
© Aad van Moorsel, Newcastle University, 2010
73
PKI
from Jøsang, IFIPTM 2009
© Aad van Moorsel, Newcastle University, 2010
74
Web of Trust
no certification authority
• you, A, as a new participant, create
your own public key certificate
• you go to someone, B, who is already
in the web of trust and ask that
person to sign your public key
certificate
• anyone who trusts B will now trust
your public key
• others may ask you to sign their
public key certificate
© Aad van Moorsel, Newcastle University, 2010
75
reputation systems
assume a system, with a number of participants
• all participants give feedback about other participants
• some mathematical formula computes resulting reputation
– reputation = sum positive scores – sum negative scores
(eBay)
– reputation = average all scores
– reputation = (1 + sum positive) / (1 + sum all scores)
– ...
• reputation computation can be centralized or distributed
© Aad van Moorsel, Newcastle University, 2010
76
data collection: honey pots and
security breaches data banks
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
honeypots
a honeypot
• pretends to be a resource with value to attackers, but is
actually isolated and monitored,
in order to:
• misguide attackers and analyze the behaviour of attackers.
© Aad van Moorsel, Newcastle University, 2010
78
honeypots
two types:
– high-interaction:
• real services, real OS, real application  higher risk
of being used to break in or attack others
• honeynets (two or more honeypots in a network)
– low-interaction:
• emulated services  low risk
• honeypots like nepenthes
© Aad van Moorsel, Newcastle University, 2010
79
an example of a hacker in a honeypot
SSH-1.99-OpenSSH_3.0
SSH-2.0-GOBBLES
GGGGO*GOBBLE*
uname -a;id
OpenBSD pufferfish 3.0 GENERIC#94 i386
uid=0(root) gid=0(wheel) groups=0(wheel)
ps -aux|more
USER PID %CPU %MEM
root 16042 0.0 0.1
root 25892 0.0 0.2
root 13304 0.0 0.1
...
root 1 0.0 0.1 332
VSZ RSS TT STAT STARTED TIME COMMAND
372 256 ?? R 2:48PM 0:00.00 more (sh)
104 452 ?? Ss Tue02PM 0:00.14 syslogd
64 364 ?? Is Tue02PM 0:00.00 portmap
200 ?? Is Tue02PM 0:00.02 /sbin/init
id
uid=0(root) gid=0(wheel) groups=0(wheel)
who
cat inetd.conf
attempt to edit the configuration file
for network services
© Aad van Moorsel, Newcastle University, 2010
80
data from a honeypot
data from 2003, number of different ‘attack’ sources
Pouget, Dacier, Debar: “Attack processes found on the Internet”
© Aad van Moorsel, Newcastle University, 2010
81
data from honeypots
a
•
•
•
lot of other data can be obtained
how do worms propagate?
how do attackers use zombies?
what kind of attackers do exist, and which ones start denialof-service attacks?
• which country do the attacks come from
• ...
Pouget, Dacier, Debar: “Attack processes found on the Internet”
© Aad van Moorsel, Newcastle University, 2010
82
honeypots
a honeynet is a network of honeypots and other information
system resources
T. Holz, “Honeypots and Malware Analysis—Know Your Enemy”
© Aad van Moorsel, Newcastle University, 2010
83
honeynets
three tasks in a honeynet:
1. data capture
2. data analysis
3. data control: especially highinteraction honeypots are vulnerable
of being misused by attackers 
control of data flow, neither to come
inside the organisation, nor to other
innocent parties
T. Holz, “Honeypots and Malware Analysis—Know Your Enemy”
© Aad van Moorsel, Newcastle University, 2010
84
US-CERT security vulnerabilities
United State Computer Emergency Readiness Team
people submit vulnerability notes, e.g.:
Vulnerability Note VU#120541
SSL and TLS protocols renegotiation vulnerability
A vulnerability exists in SSL and TLS protocols that may allow
attackers to execute an arbitrary HTTP transaction.
Credit: Marsh Ray of PhoneFactor
© Aad van Moorsel, Newcastle University, 2010
85
CVSS scoring in US-CERT
it uses a scoring system to determine how serious the
vulnerability is: Common Vulnerability Scoring System
(CVSS)
P. Mell et al, “CVSS—A Complete Guide to the CVSS Version 2.0”
© Aad van Moorsel, Newcastle University, 2010
86
CVSS
BaseScore = 0.6 x Impact + 0.4 x Exploitability
Impact = 10.41 x (1 - (1 - ConfImpact) x (1 - IntegImpact) x (1 AvailImpact) )
ConfImpact = case ConfidentialityImpact of
• none: 0.0
• partial: 0.275
• complete: 0.660
...
P. Mell et al, “CVSS—A Complete Guide to the CVSS Version 2.0”
© Aad van Moorsel, Newcastle University, 2010
87
statistics for modelling
and measurement
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
objective
• understand the basis statistics so you can take your own
measurements
© Aad van Moorsel, Newcastle University, 2010
89
measurements
x1, x2, x3, ..., xN are statistically independent measurement
samples (for instance response time measurements)
mathematically, xi, i=1...N, are realizations of random
variable X (for instance X represents the measured
response time)
an estimator is a function of
the samples (notation
)
X
X has a mean value (expectation), E[X]
what would be a reasonable estimator
X for E[X]?
© Aad van Moorsel, Newcastle University, 2010
90
unbiased estimators
X represents the estimator based on measured response time X
the real response time is represented by random variable R
mathematically, an unbiased estimator implies E[X ]= E[X]
source of estimator bias:
• mathematical subtleties (see standard deviation for one example)
for an experimentalist, an unbiased experiment implies also
E[X]=E[R]
sources of experiment bias:
• measurements not precise
• measurement points not exactly placed correctly
• environment of experiments not representative
© Aad van Moorsel, Newcastle University, 2010
91
unbiased estimators
mean:
variance:
(Var)
standard deviation:
(SD)
100α percentile:
Pr[ X  x]  
1
E[ X ] 
N
N
x
i 1
i
N
1
2
E[( X  E[ X ]) 2 ] 
(
x

E
[
X
]
)
 i
N  1 i 1
E[| X  E[ X ] |]  Var
smallest x such that
# xi  x

N
© Aad van Moorsel, Newcastle University, 2010
92
confidence intervals
central limit theorem: if I carry out an experiment often
enough, and average the result, then this average
converges, and takes on values close to a Normal
distribution
Allows one to construct “p-percent confidence intervals”:
the real value is p percent certain within the confidence
interval around the estimated value
note: that implies 100-p percent you’re off...
© Aad van Moorsel, Newcastle University, 2010
93
confidence interval
p-percent confidence interval:
c p .SD
c p .SD 

, E[ X ] 
 E[ X ] 

N
N 

where the constant cp depends on p, and can be read from
tables for Normal distribution percentiles:
p = 95%  cp = 1.65
p = 99%  cp = 1.96
© Aad van Moorsel, Newcastle University, 2010
94
example
you measure response time of a web site
x1 = 1 sec., x2 = 3 sec., x3 = 2 sec.
using the unbiased estimators:
E[ X ] = 2 sec and SD = 1 sec
95% confidence interval: [ 1.05 , 2.95 ]
99% confidence interval: [ 0.87 , 3.13 ]
increase the number of samples, 99% confidence interval:
N = 100:
[ 1.83, 2.17 ]
N = 10000:
[ 1.98, 2.02 ]
N = 1000000:
[ 1.998, 2.002 ]
© Aad van Moorsel, Newcastle University, 2010
95
confidence intervals prerequisite:
independent samples from identical distributions
the confidence interval statistics in this section applies only when
samples are statistically independent and representative for the
identical distribution (called i.i.d. or independent and
identically distributed)
examples of dependence:
• response time of subsequent web page customers: they might
both be influenced by the server being busy
• down time of a system in consecutive days: they might both be
influenced by a virus that was spread just around these days
example of independence:
• subsequent throws of a dice or tosses of a coin
• in systems, often samples are reasonably independent, but you
can never be sure
© Aad van Moorsel, Newcastle University, 2010
96
dealing with dependent samples
if you incorrectly assume independence, your confidence
interval will typically much narrower than it should  you
will have more confidence in your estimate than justified
to deal with dependence you can use method of batch
means or method of batches
the method of batches puts dependent samples in the same
batch  can assume independence between the batches
(and then the confidence interval theory applies again)
© Aad van Moorsel, Newcastle University, 2010
97
method of batch means
1. take the number of batches M to be 30 or more
2. create the batches: put x1 to xN/M in batch 1, xN/M+1 to x2N/M in
batch 2, etc.
(note: you will have M batches, each with N/M samples)
3. compute the means of each batch and call this yj for the j-th batch
4. then compute confidence intervals using y1 to yM instead of the
original samples x1 to xN
explanation: batches will be reasonably independent, as long as each
batch has a large quantity of samples
handy check: try it with different values of M (for instance for both 30
and 100 batches), if the batches are independent, the resulting
confidence intervals should be about the same (unfortunately, the
opposite doesn’t hold, so use with care)
© Aad van Moorsel, Newcastle University, 2010
98
conclusion
have discussed the basics behind doing good
system analysis
• metrics
• statistics
© Aad van Moorsel, Newcastle University, 2010
99
human factors and
economic drivers
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
trust economics
• research project funded by the UK Government’s
Technology Strategy Board (TSB)
• members include both academic institutions and industrial
organisations
– universities: Newcastle, Bath, UCL, Aberdeen,
– companies: HP Labs Bristol, Merrill Lynch, National Grid
• work is built on attempts to further understanding of a
number of diverse factors in information security
management, and how they are related
– human factors (UCL, Bath)
– economics of security (Bath, Aberdeen)
– business processes (HP, Merrill Lynch)
– security management tools (Newcastle)
• encapsulate insights from these strands of research
© Aad van Moorsel, Newcastle University, 2010
101
trust economics
• human factors
– user behaviour studies (e.g. USB sticks, password behaviours)
– rationalising human/security interaction
• economics of security
– economic modelling
– formalising relationships between security choices and economic
influences
• business processes
– utility functions
– system modelling
• security management tools
– information security & human factors ontology
– information security knowledge base tools
© Aad van Moorsel, Newcastle University, 2010
102
Newcastle ontology
• explicitly represent human factors in information security
management, and relate them to infrastructure components and
processes that are familiar to a Chief Information Security Officer
(CISO)
– elements of IT infrastructure that must be secured and controlled
– security standards that guide policy decisions (e.g. ISO27K)
• provides support for IT security management decision-making
– clearly and unambiguously represent elements of the IT security
infrastructure, but also the human behaviours that may arise or be
controlled as a result of deploying specific security mechanisms
• provides a means of encoding expert knowledge of human factors as
relates to IT security management
– this knowledge was previously unavailable to CISOs, or hidden away
in a form that made it difficult to communicate
© Aad van Moorsel, Newcastle University, 2010
103
use of an ontology
• an ontology helps to formally describe concepts and
taxonomies within information security management
– the exact meanings of terms can often be lost as they are
communicated or internalised within an organisation
• use of an ontology provides scope to identify the
interdependencies between various elements of
information security management
• an ontology can also be used to relate and communicate
different domains of knowledge across shared concepts,
and demonstrate the hierarchies that exist within them
• an ontology provides scope to reason about captured
knowledge
• reasoning may be achieved manually or by a machine
© Aad van Moorsel, Newcastle University, 2010
104
ontology structure
Infra.
Chapter
Proc.
1
1
hasFoundation
Behavioural
Foundation
Threat
exploitedBy
1
1
managesRiskOf
contains
*
*
Behaviour
Control
Section
1
*
*
hasRiskApproach
1
*
Guideline
Control Type
1
*
hasVulnerability
hasStakeholder
Vulnerability
*
hasSubject
contains
*
Guideline
Step
1
isMitigatedBy
contains
1
1
*
*
hasSubject
*
hasVulnerability
1
*
Asset
1
1
1
ownedBy
© Aad van Moorsel, Newcastle University, 2010
Role
105
ontology – password policy case study
Chapter
Number: 11
Single Password Memorisation
Difficult
Name: “ Access Control”
hasVulnerability
Section
Number: 11.3
Name: “User Responsibilities”
Objective: ...
Password
Guideline
Number: 11.3.1
Name: “Password Use”
Control: ...
Implementation Guidance (Additional): ...
Other Information: ...
hasSubject
Implementation Guidance Step
Number: 11.3.1 (d)
Guidance: “select quality passwords with sufficient minimum length which are:
1) easy to remember;
...”
© Aad van Moorsel, Newcastle University, 2010
106
case study – recall methods
Single Password Memorisation
Difficult
KEY
Classes
Vulnerability
Procedural Threat
Reduction
Educate Users in
Recall Techniques
Behavioural Foundation
Infrastructure Threat
Behaviour Control
Mindset
Password Stored Externally
to Avoid Recall
Insecure storage medium can
be exploited by malicious party
Asset
Control Type
Threat Consequence
Relationships
mitigated by
has vulnerability
exploited by
Reduction
Implement ISO27002 Guideline 11.3.1 (b),
“avoid keeping a record of passwords”
© Aad van Moorsel, Newcastle University, 2010
manages risk of
107
case study – password reset function
Single Password Memorisation
Difficult
Transfer
Helpdesk Password
Reset Management
User temporarily without access
Capability
Reduction
Helpdesk Provided With
Identity Verification Details
Single Password
Forgotten
Password Reset Process
Laborious
Automated Password
Reset System
Temporal
Mindset
Helpdesk Busy
Employee Becomes
Impatient
User compliance diminished
Reduction
User Account
Details Stolen
Malicious party gains access
IT Helpdesk Cannot
Satisfy Reset Request
Additional Helpdesk Staff
© Aad van Moorsel, Newcastle University, 2010
User temporarily without access
108
conclusion
Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
aad.vanmoorsel@newcastle.ac.uk
conclusion
part 1: assessment of security and trust
• used an ontology to describe the problem space
• noted subtle differences between security and trust
• realised that several security metrics have been proposed and used: CIA,
CVSS, Jaquith’s, but that
– security metrics are extremely challenging to define effectively: how
to make representative and predictive?
• noted that trust metrics are used in reputation systems and web of trust,
but that these are
– equally challenging to make representative and predictive
• provided basic methodology for good measurement studies
you now know some basics, apply it in the field and improve on the
methodologies used in information security assessment!
© Aad van Moorsel, Newcastle University, 2010
110
trust economics methodology
trust economics methodology for security decisions
trade off:
legal issues,
human tendencies,
business concerns,
...
a model
of the information
system
© Aad van Moorsel, Newcastle University, 2010
stakeholders
discuss
112
trust economics research
from the trust economics methodology, the following
research follows:
1. identify human, business and technical concerns
2. develop and apply mathematical modelling
techniques
3. glue concerns, models and presentation together using
a trust economics information security ontology
4. use the models to improve the stakeholders discourse
and decisions
© Aad van Moorsel, Newcastle University, 2010
113
our involvement
1.
–
2.
–
–
3.
–
–
–
4.
–
identify human, business and technical concerns
are working on a case study in Access Management (Maciej, James, with
Geoff and Hilary from Bath)
develop and apply mathematical modelling techniques
are generalising concepts to model human behaviour, and are validating it
with data collection (Rob, Simon, with Doug, Robin and Bill from UIUC)
do a modelling case study in DRM (Wen)
glue concerns, models and presentation together using a trust economics
information security ontology
developed an information security ontology, taking into account human
behavioural aspect (Simon)
made an ontology editing tool for CISOs (John)
are working on a collaborative web-based tool (John, Simon, Stefan from
SBA, Austria)
use the models to improve the stakeholders discourse and decision
using participatory design methodology, are working with CISOs to do a user
study (Simon, Philip and Angela from UCL)
© Aad van Moorsel, Newcastle University, 2010
114
example of the trust economics methodology
passwords
Information Security Management
Find out about how users behave, what the business issues
are:
CISO1: Transport is a big deal.
Interviewer1: We’re trying to recognise this in our user classes.
CISO1: We have engineers on the road, have lots of access, and are more gifted in
IT.
Interviewer1: Do you think it would be useful to configure different user
classes?
CISO1: I think it’s covered.
Interviewer1: And different values, different possible consequences if a loss
occurs. I’m assuming you would want to be able to configure.
CISO1: Yes. Eg. customer list might or might not be very valuable.
Interviewer1: And be able to configure links with different user classes and the
assets.
CISO1: Yes, if you could, absolutely.
Interviewer1: We’re going to stick with defaults at first and allow configuration
if needed later. So, the costs of the password policy: running costs, helpdesk
staff, trade-off of helpdesk vs. productivity
CISO1: That’s right.
© Aad van Moorsel, Newcastle University, 2010
116
Information Security Management
Find out about how users behave, what the business issues
are:
Discussion of "Productivity Losses":
CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m
salary but bring $20m into the company. There are expense people and
productivity people.
Interviewer1: We have execs, “road warrior”, office drone. Drones are just a
cost.
Interviewer2: And the 3 groups have different threat scenarios.
CISO2: Risk of over-complicating it, hard to work out who is income-earner and
what proportion is income earning.
Interviewer2: But this is good point.
CISO2: Make it parameterisable, at choice of CISO.
…
CISO2: So, need to be able to drill down into productivity, cost, - esp in small
company.
© Aad van Moorsel, Newcastle University, 2010
117
a model of the IT system
© Aad van Moorsel, Newcastle University, 2010
118
tool to communicate
the result to a CISO
Password Policy Composition Tool
File
Help
Breaches / Productivity / Cost
[projected per annum for 100-user sample]
BREACHES
#
Full
#
Composite
#
Partial
#
Productivity
#
Costs
#
BREACHES:
Composite
Policy Properties
ss 3 350
Cla
Cla
ss 1 280
Cla
Password Change Notification:
#upper
i
upper
#upper
#
#min_length
#upper
i
#notif_days
#lower
#lower
Password Login Attempts:
Password Complexity:
i
#upper
#
#
ss 2 175
No.
ss 3 350
Cla
Organisation Properties User Properties
Password Length:
upper
#upper
#
Partial
Cla
ss 2 175
ss 1 280
Cla
Cla
ss 3 350
ss 2 175
Cla
Cla
ss 1 280
No.
No.
Full
i
#upper
char_classes
max_retries
#
lower
#
lower
Password Change Frequency:
#upper
i
#change_frequency
#lower
Generate Output
© Aad van Moorsel, Newcastle University, 2010
Export Policy
119
an information security
ontology incorporating
human-behavioural implications
Simon Parkin, Aad van Moorsel
Newcastle University
Centre for Cybercrime and Computer Security
UK
Robert Coles,
Bank of America, Merrill Lynch
UK
trust economics ontology
• we want to have a set of tools that implement the trust
economics methodology
• needs to work for different case studies
• need a way to represent, maintain and interrelate relevant
information
• glue between
– problem space: technical, human, business
– models
– interfaces
© Aad van Moorsel, Newcastle University, 2010
121
using an ontology
• We chose to use an ontology to address these
requirements, because:
– An ontology helps to formally define concepts and
taxonomies
– An ontology serves as a means to share knowledge
• Potentially across different disciplines
– An ontology can relate fragments of knowledge
• Identify interdependencies
© Aad van Moorsel, Newcastle University, 2010
122
business, behaviour and security
• Example: Password Management
– There is a need to balance security and ease-of-use
– A complex password may be hard to crack, but might
also be hard to remember
• Is there a way to:
– Identify our choices in these situations?
– Consider the potential outcomes of our choices in a
reasoned manner?
© Aad van Moorsel, Newcastle University, 2010
123
requirements
• Standards should be represented
– Information security mechanisms are guided by policies, which are
increasingly informed by standards
• The usability and security behaviours of staff must be
considered
–
–
–
–
Information assets being accessed;
The vulnerabilities that users create;
The intentional or unintentional threats user actions pose, and;
The potential process controls that may be used and their
identifiable effects
• CISOs must be able to relate ontology content to the
security infrastructure they manage
– Representation of human factors and external standards should be
clear, unambiguous, and illustrate interdependencies
© Aad van Moorsel, Newcastle University, 2010
124
information security ontology
• We created an ontology to represent the humanbehavioural implications of information security
management decisions
– Makes the potential human-behavioural implications visible and
comparable
• Ontology content is aligned with information security
management guidelines
– We chose the ISO27002: “Code of Practice” standard
– Provides a familiar context for information security managers (e.g.
CISOs, CIOs, etc.)
– Formalised content is encoded in the Web Ontology Language
(OWL)
• Human factors researchers and CISOs can contribute
expertise within an ontology framework that connects
their respective domains of knowledge
– Input from industrial partners and human factors researchers helps
to make the ontology relevant and useful to prospective users
© Aad van Moorsel, Newcastle University, 2010
125
ontology - overview
Infra.
Chapter
Proc.
1
1
hasFoundation
Behavioural
Foundation
Threat
exploitedBy
1
1
managesRiskOf
contains
*
*
Behaviour
Control
Section
1
*
*
hasRiskApproach
1
*
Guideline
Control Type
1
*
hasVulnerability
hasStakeholder
Vulnerability
*
hasSubject
contains
*
Guideline
Step
1
isMitigatedBy
contains
1
1
*
*
hasSubject
*
hasVulnerability
1
*
Asset
1
1
1
ownedBy
© Aad van Moorsel, Newcastle University, 2010
Role
126
ontology – password policy example
Chapter
Single Password Memorisation
Difficult
Number: 11
Name: “ Access Control”
hasVulnerability
Section
Number: 11.3
Name: “User Responsibilities”
Objective: ...
Password
Guideline
Number: 11.3.1
Name: “Password Use”
Control: ...
Implementation Guidance (Additional): ...
Other Information: ...
hasSubject
Implementation Guidance Step
Number: 11.3.1 (d)
Guidance: “select quality passwords with sufficient minimum length which are:
1) easy to remember;
...”
© Aad van Moorsel, Newcastle University, 2010
127
example – password memorisation
KEY
Classes
Vulnerability
Procedural Threat
Single Password Memorisation
Difficult
Acceptance
Capability
Maintain Password
Policy
Single Password
Forgotten
Behavioural Foundation
Infrastructure Threat
Behaviour Control
Asset
Control Type
User temporarily without access
Reduction
Make Password Easier
To Remember
Threat Consequence
Relationships
mitigated by
has vulnerability
exploited by
manages risk of
© Aad van Moorsel, Newcastle University, 2010
128
example – recall methods
Single Password Memorisation
Difficult
KEY
Classes
Vulnerability
Procedural Threat
Behavioural Foundation
Reduction
Educate Users in
Recall Techniques
Infrastructure Threat
Behaviour Control
Asset
Mindset
Password Stored Externally
to Avoid Recall
Insecure storage medium can
be exploited by malicious party
Control Type
Threat Consequence
Relationships
mitigated by
has vulnerability
Reduction
Implement ISO27002 Guideline 11.3.1 (b),
“avoid keeping a record of passwords”
© Aad van Moorsel, Newcastle University, 2010
exploited by
manages risk of
129
example – password reset function
Single Password Memorisation
Difficult
Transfer
Helpdesk Password
Reset Management
User temporarily without access
Capability
Reduction
Helpdesk Provided With
Identity Verification Details
Single Password
Forgotten
Password Reset Process
Laborious
Automated Password
Reset System
Temporal
Mindset
Helpdesk Busy
Employee Becomes
Impatient
User compliance diminished
Reduction
User Account
Details Stolen
Malicious party gains access
IT Helpdesk Cannot
Satisfy Reset Request
Additional Helpdesk Staff
© Aad van Moorsel, Newcastle University, 2010
User temporarily without access
130
conclusions
• CISOs need an awareness of the human-behavioural
implications of their security management decisions
• human Factors researchers need a way to
contribute their expertise and align it with concepts
that are familiar to CISOs
– standards
– IT infrastructure
– business processes
• we provided an ontology as a solution
– serves as a formalised base of knowledge
– one piece of the Trust Economics tools
© Aad van Moorsel, Newcastle University, 2010
131
an ontology for structured systems economics
Adam Beaument
UCL, HP Labs
David Pym
HP Labs, University of Bath
ontology to link with the models
thus far, trust economics ontology represent technology
and human behavioural issues
how to glue this to the mathematical models?
© Aad van Moorsel, Newcastle University, 2010
133
ontology
© Aad van Moorsel, Newcastle University, 2010
134
example process algebra model
© Aad van Moorsel, Newcastle University, 2010
135
conclusion on trust economics ontology
trust economics ontology is work in progress
- added human behavioural aspects to IT security
concepts
- provided an abstraction that allows IT to be
represented tailored to process algebraic model
to do:
- complete as well as simplify...
- proof is in the pudding: someone needs to use it in a
case study
© Aad van Moorsel, Newcastle University, 2010
136
an ontology editor and a community ontology
John Mace (project student)
Simon Parkin
Aad van Moorsel
Stefan Fenz
SBA, Austria
stakeholders
• Chief Information Security Officers (CISOs)
• Human Factors Researchers
• Ontology experts
© Aad van Moorsel, Newcastle University, 2010
138
current ontology development
• requires use of an ontology creation tool
• graphical or text based tools
• both create machine readable ontology file from user
input
• user must define underlying ontology structure
© Aad van Moorsel, Newcastle University, 2010
139
current development issues
• knowledge required of ontology development and tools
• development knowledge held by ontology experts and not
those whose knowledge requires capture
• current tools are complex and largely aimed at ontology
experts
• process is time-consuming and error prone
© Aad van Moorsel, Newcastle University, 2010
140
how would you want to write ontology content?
<Vulnerability rdf:about="#SinglePasswordMemorisationDifficult">
<mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/>
<exploitedBy rdf:resource="#SinglePasswordForgotten"/>
</Vulnerability>
© Aad van Moorsel, Newcastle University, 2010
141
proposed solution
• a simple, intuitive tool to create/modify ontology in
graphical form
• captures knowledge of domain experts while removing
need to know of ontology construction techniques
• underlying information security ontology structure is
predefined
• interactive help system and mechanisms to minimise error
© Aad van Moorsel, Newcastle University, 2010
142
implementation overview
Chief Information Security Officer (CISO) /
Human Factors Researcher (HFR)
enter content
load
existing
diagram
Ontology Diagram Store
ontology
diagram
save
current
diagram
Java Translation Program
ontology
file
Ontology File Store
Ontology Editor
© Aad van Moorsel, Newcastle University, 2010
143
ontology editor
© Aad van Moorsel, Newcastle University, 2010
144
adding new concept
© Aad van Moorsel, Newcastle University, 2010
145
ontology diagram
© Aad van Moorsel, Newcastle University, 2010
146
Java translation program
Ontology Diagram
diagram
saved to
Temp
folder
Ontology File
diagram
retrieved
from Temp
folder
file saved
file created
user defined
parameters
Java Translation Program
Ontology Editor
Ontology File Store
Java libraries imported
Java 1.5 API
Xerces API
© Aad van Moorsel, Newcastle University, 2010
OWL API
147
ontology file
• written in machine readable Web Ontology Language OWL
• created using OWL API
• file structure:
– header
– classes
– data properties
– object properties
– individuals
© Aad van Moorsel, Newcastle University, 2010
148
ontology file example
<Vulnerability rdf:about="#SinglePasswordMemorisationDifficult">
<mitigatedBy rdf:resource="#MakePasswordEasierToRemember"/>
<exploitedBy rdf:resource="#SinglePasswordForgotten"/>
</Vulnerability>
© Aad van Moorsel, Newcastle University, 2010
149
summary
• need for information security ontology editing tool
• proposed tool allows domain experts to develop ontology
without knowledge of ontology construction
• delivers machine readable ontology files
• simplifies development process
• allow further development of ‘base’ ontology
© Aad van Moorsel, Newcastle University, 2010
150
future developments
• ontology too large for small group to develop effectively
• vast array of knowledge held globally
• ontology development needs to be a collaborative process
to be effective
• web-oriented collaborative editing tool
• basis for 3rd year dissertation
© Aad van Moorsel, Newcastle University, 2010
151
user evaluation for trust economics software
Simon Parkin
Aad van Moorsel
Philip Inglesant
Angela Sasse
UCL
participatory design of a trust economics tool
assume we have all pieces together:
• ontology
• models
• CISO interfaces
what should the tool look like?
we conduct a participatory design study with CISOs from:
• ISS
• UCL
• National Grid
method: get wish list from CISOs, show a mock-up tool and
collect feedback, improve, add model in background, try it
out with CISOs, etc.
© Aad van Moorsel, Newcastle University, 2010
153
information security management
find out about how users behave, what the business issues
are:
CISO1: Transport is a big deal.
Interviewer1: We’re trying to recognise this in our user classes.
CISO1: We have engineers on the road, have lots of access, and are more gifted in
IT.
Interviewer1: Do you think it would be useful to configure different user
classes?
CISO1: I think it’s covered.
Interviewer1: And different values, different possible consequences if a loss
occurs. I’m assuming you would want to be able to configure.
CISO1: Yes. Eg. customer list might or might not be very valuable.
Interviewer1: And be able to configure links with different user classes and the
assets.
CISO1: Yes, if you could, absolutely.
Interviewer1: We’re going to stick with defaults at first and allow configuration
if needed later. So, the costs of the password policy: running costs, helpdesk
staff, trade-off of helpdesk vs. productivity
CISO1: That’s right.
© Aad van Moorsel, Newcastle University, 2010
154
information security management
find out about how users behave, what the business issues
are:
Discussion of "Productivity Losses":
CISO2: But it’s proportional to amount they earn. This is productivity. eg. $1m
salary but bring $20m into the company. There are expense people and
productivity people.
Interviewer1: We have execs, “road warrior”, office drone. Drones are just a
cost.
Interviewer2: And the 3 groups have different threat scenarios.
CISO2: Risk of over-complicating it, hard to work out who is income-earner and
what proportion is income earning.
Interviewer2: But this is good point.
CISO2: Make it parameterisable, at choice of CISO.
…
CISO2: So, need to be able to drill down into productivity, cost, - esp in small
company.
© Aad van Moorsel, Newcastle University, 2010
155
example of the trust economics methodology
access management
Maciej Machulak (also funded by JISC SMART)
James Turland (funded by EPSRC AMPS)
Wen Zeng (for DRM)
Aad van Moorsel
Geoff Duggan
Hilary Johnson
University of Bath
SMART project description
• the SMART (Student-Managed Access to Online Resources)
project will develop an online data access management
system based on the User-Managed Access (UMA) Web
protocol, deploy it within Newcastle University and
evaluate the system through a user study.
– The project team will also contribute to the
standardisation effort of the UMA protocol by actively
participating in the User-Managed Access Work Group
(UMA WG – charter of the Kantara Initiative)
© Aad van Moorsel, Newcastle University, 2010
157
project description - UMA
• User-Managed Access protocol – allows an individual control
the authorization of data sharing and service access made
between online services on the individual's behalf.
Source: http://kantarainitiative.org/confluence/display/uma/UMA+Explained
© Aad van Moorsel, Newcastle University, 2010
158
project description – objectives
• objectives:
– Define scenario for UMA use case within Higher
Education (HE) environments
– Develop UMA-based authorisation solution
– Deploy the UMA-based solution within Newcastle
University:
• Integrate the system with institutional Web
applications
• Evaluate the system through a user study
– Contribute with the scenario, software and project
findings to the UMA WG and actively participate in the
standardisation effort of the UMA Web protocol.
– Demonstrate, document and disseminate project
outputs
© Aad van Moorsel, Newcastle University, 2010
159
trust economics applied to access management
• we build the application
• we build models to quantify trust or CIA properties
• we investigate user interfaces and user behaviour to input
into the model
related: we also build DRM models, trading off productivity
and confidentiality
© Aad van Moorsel, Newcastle University, 2010
160
modelling concepts and model validation
Rob Cain (funded by HP)
Simon Parkin
Aad van Moorsel
Doug Eskin (funded by HP)
Robin Berthier
Bill Sanders
University of Illinois at Urbana-Champaign
project objectives
• performance models traditionally have not included human
behavioural aspects in their models
• we want to have generic modelling constructs to represent
human behaviour, tendencies and choices:
– compliance budget
– risk propensity
– impact of training
– role dependent behaviour
• we want to validate our models with collected data
– offline data, such as from interviews
– online data, measure ‘live’
• we want to optimise the data collection strategy
• in some cases, it makes sense to extend our trust economics
methodology with a strategy for data collection
162
© Aad van Moorsel, Newcastle University, 2010
presentation of Möbius
© Aad van Moorsel, Newcastle University, 2010
163
sample Möbius results
Without Comp Budget Feedback
380
360
340
320
Utility
300
HB Score
280
260
240
220
0
0.1
0.2
0.3
0.4
0.5
0.6
Prob of Encryption
0.7
© Aad van Moorsel, Newcastle University, 2010
0.8
0.9
1
164
sample Möbius results (cont.)
Using Comp Budget Feedback
380
360
340
320
Utility
300
HB Score
280
260
240
220
0
0.1
0.2
0.3
0.4
0.5
0.6
Prob of Encryption
0.7
© Aad van Moorsel, Newcastle University, 2010
0.8
0.9
1
165
criticality of using data
• the goal of using data is to provide credibility to the
model:
– by defining and tuning input parameters according to
individual organization
– by assessing the validity of prediction results
• issues:
– numerous data sources
– collection and processing phases are expensive and
time consuming
– no strategy to drive data monitoring
– mismatch between model and data that can be
collected
© Aad van Moorsel, Newcastle University, 2010
166
data collection approach
Stakeholders
1
2
Data
Sources
Cost / Quality
Model
Importance
3
4
1.
2.
3.
4.
•
•
Input parameter definition
Output validation
Design specialized model according to requirements
Classify potential data sources according to their cost and quality
Optimize collection of data according to parameter importance
Run data validation and execute model
© Aad van Moorsel, Newcastle University, 2010
167
data sources classification
• Cost:
– Cost to obtain
– Time to obtain
– Transparency
– Legislative process
• Quality:
– Accuracy
– Applicability
• Importance:
– Influence of parameter value on output
© Aad van Moorsel, Newcastle University, 2010
168
Organization Budget Parameters
input/o
Category
utput
Parameter
Description
Variables
Influence
Data Sources and Cost
IT security survey
(http://www.gartner.com,
http://www.gocsi.com)
in
Budget
Total security
investment
IT budget. Default
is 100
medium
interview with IT directors
public gov. budget data
in
in
in
Budget
Training
investment
Training budget.
Always, one-off
100
Experimental
value. Proportion
Support proportion
of Active Security
Budget
of budget
Investment used
for support
Budget
Low
Medium
High
Monitoring
proportion of
budget
Experimental
value. 1 – (Support
proportion of
budget)
USB stick =
100, software =
0, install and
maintenance =
0
interview with IT directors
low
public gov. budget data
interview with IT directors
high
public gov. budget data
interview with IT directors
high
© Aad van Moorsel, Newcastle University, 2010
public gov. budget data
169
Overall Human Parameters
input/
output
in
in
Category
User
behavior
User
behavior
Parameter
Description
Compliance
budget
Effort willing to
spend
conforming
with security
policy that
doesn't benefit
you.
Perceived
benefit of task
Effort willing to
put in without
using
compliance
budget.
Variables
Influence
Generalised:
understanding,
investment,
incentives
© Aad van Moorsel, Newcastle University, 2010
Data Sources and Cost
User survey
170
password: probability of break-in
input/ou
tput
Category
Parameter
in
Culture of
organization
in
User behavior Password strength
in
Attacker
Password strength
determination threshold
in
User behavior
Password update
frequency
in
User behavior
in
Description
Prob, of leaving default
password
Variables
Influence
Organization policy, user training
medium
Organization policy, user training
medium
Password stength, attacker
determination
medium
Organization policy, user training
medium
Prob. of being locked
out
when password is forgotten Organization policy, user training
medium
User interface
Prob. of finding lost
password
efficiency of password
recovery tech.
medium
in
User interface
Prob. of needing
support
(#support queries / #users) prob. of forgetting password
medium
in
User behavior
Management
reprimands
medium
in
User behavior
Negative support
experiences
medium
out
User behavior
Prob. password can be
compromised
out
Security
Availability
#successful data transfer
high
out
Security
Confidentiality
#exposures + #reveals
high
Compromised by brute
force attack
Data Sources and Cost
high
© Aad van Moorsel, Newcastle University, 2010
171
data collection research
four sub problems:
• determine which data is needed to validate the model:
– provide input parameter values
– validate output parameters
• technical implementation of the data collection
• optimize data collection such that cost is within a certain
bound: need to find the important parameters and trade
off with cost of collecting it
• add data collection to the trust economics methodology:
– a data collection strategy will be associated with the
use of a model
© Aad van Moorsel, Newcastle University, 2010
172
conclusion
trust economics research in Newcastle:
• ontology for human behavioural aspects, incl. editor and
community version
• tool design with CISOs
• modelling: DRM and Access Management
• data collection strategies for validation
work to be done:
• generic ontology for trust economics, underlying the tools
• actual tool building
• evaluation of the methodology
© Aad van Moorsel, Newcastle University, 2010
173
trust economics info
http://www.trust-economics.org/
Publications:
• An Information Security Ontology Incorporating Human-Behavioural Implications. Simon Parkin, Aad van Moorsel,
Robert Coles. International Conference on Security of Information and Networks, 2009
• Risk Modelling of Access Control Policies with Human-Behavioural Factors. Simon Parkin and Aad van Moorsel.
International Workshop on Performability Modeling of Computer and Communication Systems, 2009.
• A Knowledge Base for Justified Information Security Decision-Making. Daria Stepanova, Simon Parkin, Aad van Moorsel.
International Conference on Software and Data Technologies, 2009.
• Architecting Dependable Access Control Systems for Multi-Domain Computing Environments. Maciej Machulak, Simon
Parkin, Aad van Moorsel. Architecting Dependable Systems VI, R. De Lemos, J. Fabre C. Gacek, F. Gadducci and M. ter
Beek (Eds.), Springer, LNCS 5835, pp. 49—75, 2009.
• Trust Economics Feasibility Study. Robert Coles, Jonathan Griffin, Hilary Johnson, Brian Monahan, Simon Parkin, David
Pym, Angela Sasse and Aad van Moorsel. Workshop on Resilience Assessment and Dependability Benchmarking, 2008.
• The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies. Simon Parkin,
Rouaa Yassin-Kassab and Aad van Moorsel. International Service Availability Symposium, 2008.
Technical reports:
• Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications. Maciej Machulak, Aad van
Moorsel. CS-TR 1191, 2010
• Ontology Editing Tool for Information Security and Human Factors Experts. John Mace, Simon Parkin, Aad van Moorsel.
CS-TR 1172, 2009
• Use Cases for User-Centric Access Control for the Web, Maciej Machulak, Aad van Moorsel. CS-TR 1165, 2009
• A Novel Approach to Access Control for the Web. Maciej Machulak, Aad van Moorsel. CS-TR 1157, 2009
• Proceedings of the First Trust Economics Workshop. Philip Inglesant, Maciej Machulak, Simon Parkin, Aad van Moorsel,
Julian Williams (Eds.). CS-TR 1153, 2009.
• A Trust-economic Perspective on Information Security Technologies. Simon Parkin, Aad van Moorsel. CS-TR 1056, 2007
© Aad van Moorsel, Newcastle University, 2010
174