the role of science in cybercrime prevention and computer security inaugural, Jujy 29, 2010 Aad van Moorsel Newcastle University, School of Computing Science Centre for Cybercrime and Computer Security
Dec 19, 2015
the role of science in cybercrime
prevention and computer securityin
augura
l, Jujy
29
, 2
01
0
Aad van MoorselNewcastle University, School of Computing
ScienceCentre for Cybercrime and Computer Security
2© Aad van Moorsel, Newcastle University, 2010
outline
1. motivation2. CISO decision-making3. trust economics methodology
• economics• models• human aspects
4. vision for the future• decision making: science and tools• design methodology• user managed access example
5. conclusion
5© Aad van Moorsel, Newcastle University, 2010
facebook decision making
what should facebook consider?– the law, or making profits?– ethics, or making profits?– principles, or making profits?– understanding the limitations of the panic button,
or political pressure?
security decisions combine – technology– psychology– sociology– business– economics
7© Aad van Moorsel, Newcastle University, 2010
security decision-making
decisions at various levels:– policy makers:
• anti-terrorism• cybercrime laws and regulations• regulating social networks
– companies and organisations• allow facebook in the workplace?• integrate applications across government
(g-cloud)– individuals
• should I order from this web site• should I trust this seller
9© Aad van Moorsel, Newcastle University, 2010
CISO
responsible for protecting an organisation’s information
fascinating job:– technology– threats, crime– organisational politics– risk management– high responsibility
how are CISOs doing:– with respect to employees– with respect to business
10© Aad van Moorsel, Newcastle University, 2010
CISO employees
confidentiality – availability trade-off
– better protected (confidentiality up)
– but you may lose the keys... (availability down)
for employees, additionally:– time wasted– privacy
11© Aad van Moorsel, Newcastle University, 2010
CISO employees
CISOs are experienced in trading off confidentiality and availability from company perspective
problem: CISO has no objective means to identify and communicate the value and importance of usability for employee
need tools that consider employee, but put the CISO and their task at the centre the tool itself should seem to disappear
12© Aad van Moorsel, Newcastle University, 2010
CISO business
Forrestor finds:1. secrets comprise two-
thirds of information value
2. compliance, not security, drives security budgets
3. focus on preventing accidents, but theft is 10 times costlier
4. more value correlates with more incidents
5. CISOs do not know how effective their security controls are
Forrestor © 2010:‘The Value of Corporate Secrets: How Compliance and Collaboration Affect
Enterprise Perceptions of Risk’,
13© Aad van Moorsel, Newcastle University, 2010
how do CISOs do?
CISO at high-value firm scores its security at 2.5 our of 3
CISO at low-value firm scores its security at 2.6 out of 3
high value firms have 4 times as many accidents as low-value firms, with 20 times more valuable data
so, the CISOs think security is okay/same, despite differences in actual accidents at a firm...
Forrester concludes: to understand more objectively how well their security programs perform, enterprises will need better ways of generating key performance indicators and metrics
16© Aad van Moorsel, Newcastle University, 2010
Philips curve: inflation versus unemployment
assume we’re here
17© Aad van Moorsel, Newcastle University, 2010
weigh inflation and unemployment
UK decides their target combination of
unemployment and inflation
18© Aad van Moorsel, Newcastle University, 2010
instrument
the central bank has an instrument: interest rate
inflation increases with interest rate
you can solve equations to find out which interest rate is best for a country
19© Aad van Moorsel, Newcastle University, 2010
instrument: change interest rate
lower interest rate to move to target
© Aad van Moorsel, Newcastle University, 2010
how does this work for security investments?• you want to optimize a utility function combining
confidentiality and availability• you can use as instrument
– more monitoring of employees– more training
would like to use economics’ models• but we have no nice functions for:
– relation availability and confidentiality– monitoring nuisance to employees vs.
confidentiality gain
instead: we build a probabilistic system model to represent these relations (functions), based on techniques and tools developed in CS over past 40 years
20
22
information security ontology
first, we define our problem space: ontology
not unlike a dictionary:• a collection of interrelated terms and
concepts that describe and model a domain• expressed in a formal ontology language
(OWL)
© Aad van Moorsel, Newcastle University, 2010
© Aad van Moorsel, Newcastle University, 2010
simple base example ontology
23
asset
vulnerability
threatcontrol
exploitedby
mitigatedby
on
threatensimplemented
by
© Aad van Moorsel, Newcastle University, 2010
simple base example ontology
24
asset
vulnerability
threat
exploitedby
mitigatedby
on
threatensimplemented
by
control
25© Aad van Moorsel, Newcastle University, 2010
includes human behavioural concerns
Helpdesk Password Reset Management
Transfer
Single Password Memorisation Difficult
Single Password Forgotten
Capability
IT Helpdesk Cannot Satisfy Reset Request
Automated Password Reset System
Additional Helpdesk Staff
Helpdesk Busy
Password Reset Process Laborious
User temporarily without accessUser compliance diminished
Reduction
Reduction
Employee Becomes Impatient
Temporal
User temporarily without access
Helpdesk Provided With Identity Verification Details
User Account Details Stolen
Mindset
Malicious party gains access
© Aad van Moorsel, Newcastle University, 2010
system model: places and roles
the model describes how the system moves between states
26
© Aad van Moorsel, Newcastle University, 2010
probabilities and distributions
we use probabilities:• represents uncertainty: A or B may happen• represents long run fractions: 60 percent of
time A happens
we also need to represent uncertainty about duration:
• use probability distributions–all possible durations have a probability–sum to 1
27
© Aad van Moorsel, Newcastle University, 2010
system model: probabilities and distributions
28
2 in 3 employees next go in transit
when at desk
1 in 3 employees next go to
conference room when at desk
travel to client takes between 45 and 75 minutes,
uniformly spread
© Aad van Moorsel, Newcastle University, 2010
rewards define the utility for various states
29
confidentiality penalty if lost in
transit
penalty for employee
losing time with password
availability penalty if slides
cannot be accessed
31© Aad van Moorsel, Newcastle University, 2010
embed these CS tools into joint decision-making tools
objective
decision
making tools
© Aad van Moorsel, Newcastle University, 2010
results
if we use a certain instrument (disallow data to be carried unencrypted)
we can now solve these models:• CISO finds out how the employee would respond to
the instrument• based on employee preferences, CISO finds out if it
is beneficial for the company and at what value to set the instrument
• CISO can try other instruments as well
32
© Aad van Moorsel, Newcastle University, 2010
results
33
20 50 100 200 5000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
best encryption level employee
best encryption level employee
20 50 100 200 5000
20
40
60
80
100
120
140
utility for company
utility company
35© Aad van Moorsel, Newcastle University, 2010
trans-disciplinary research
economicspsychology,
social sciences
CS:technology +
modelling
36© Aad van Moorsel, Newcastle University, 2010
probabilistic/stochastic modelling
Markov/Kolmogorov before WWII did the math base
40 years of CS research:• rare-event problem in
dependability precluded Monte Carlo simulation
• performability and stochastic Petri net tools (Meyer, Trivedi)
• extraordinary advances in tool building: fast algorithms, BDDs, billion states is routine (Sanders, Ciardo)
• ongoing integration with model checking (Haverkort, Kwiatkowska)
37© Aad van Moorsel, Newcastle University, 2010
rigour through stochastic models
do we make better decisions?
best modellerjudgement
ask specialistsif all right ask CISOs if
decisions arebetter
collect and compiledata and evidence
2005
2015++
39© Aad van Moorsel, Newcastle University, 2010
trust-economics as design methodology
back to facebook: how to protect your data across all your social network sites?
currently:• OAuth 2.0 and similar protocols:
– make it easy for facebook and others to distribute your data (with your permission)
• we are developing user managed access (UMA):– makes it easy for you to protect your data
UMA is standard effort of Kantara initiative, with PayPal, Sun and others
© Aad van Moorsel, Newcastle University, 2010
user managed access
one possible usage model: facebook and others put UMA button on their site for you to apply access restrictions to data
41
© Aad van Moorsel, Newcastle University, 2010
trust economics in the design
predict trade-off between confidentiality and availability
• identify how people would use UMA– to configure access restrictions– to access data
• analyse different design alternatives– UMA button– seamless OAuth access
• model attacks and failure
this is not GUI studythis is not a business case
it’s adding science into the design to consider incentives, habits and trade-offs of multiple
parties42
© Aad van Moorsel, Newcastle University, 2010
trust economics research
43
TE methodology
defined
articulatingCISO
perspective
2005 2010
CISO decisionmaking toolsontology
compliancebudget
TE as adesign
methodology
long-termscientificvalidation
HP ViStormbusiness
models forhuman behaviour /
preferences
case studies ++
© Aad van Moorsel, Newcastle University, 2010
thanks
Johari, Jamal, Rob, Dee, John, Martin, Christiaan, John, Maciej, Lukasz, Simon, Gemma, Chris, James, Rouaa, Wen, Rachel, Marios, Darek, Dasha
see web site for all their papers (ontologies, CISOs, data collection, modelling, case studies, UMA, ...)
• trust economics projects (TSB, HP and others)• SMART projects (TSB, JISC)• projects with Nigel (EPSRC)
all of you
44