The role of science in cybercrime prevention and computer security inaugural, Jujy 29, 2010 Aad van Moorsel Newcastle University, School of Computing Science.

the role of science in cybercrime

prevention and computer securityin

augura

l, Jujy

29

, 2

01

0

Aad van MoorselNewcastle University, School of Computing

ScienceCentre for Cybercrime and Computer Security

[email protected]

mailto:[email protected]

2© Aad van Moorsel, Newcastle University, 2010

outline

1. motivation2. CISO decision-making3. trust economics methodology

• economics• models• human aspects

4. vision for the future• decision making: science and tools• design methodology• user managed access example

5. conclusion

motivation


facebook dangers and controversies


facebook decision making

what should facebook consider?– the law, or making profits?– ethics, or making profits?– principles, or making profits?– understanding the limitations of the panic button,

or political pressure?

security decisions combine – technology– psychology– sociology– business– economics


facebook panic button


security decision-making

decisions at various levels:– policy makers:

• anti-terrorism• cybercrime laws and regulations• regulating social networks

– companies and organisations• allow facebook in the workplace?• integrate applications across government

(g-cloud)– individuals

• should I order from this web site• should I trust this seller

the CISO: Chief Information Security Officer


CISO

responsible for protecting an organisation’s information

fascinating job:– technology– threats, crime– organisational politics– risk management– high responsibility

how are CISOs doing:– with respect to employees– with respect to business


CISO employees

confidentiality – availability trade-off

– better protected (confidentiality up)

– but you may lose the keys... (availability down)

for employees, additionally:– time wasted– privacy


CISO employees

CISOs are experienced in trading off confidentiality and availability from company perspective

problem: CISO has no objective means to identify and communicate the value and importance of usability for employee

need tools that consider employee, but put the CISO and their task at the centre the tool itself should seem to disappear


CISO business

Forrestor finds:1. secrets comprise two-

thirds of information value

2. compliance, not security, drives security budgets

3. focus on preventing accidents, but theft is 10 times costlier

4. more value correlates with more incidents

5. CISOs do not know how effective their security controls are

Forrestor © 2010:‘The Value of Corporate Secrets: How Compliance and Collaboration Affect

Enterprise Perceptions of Risk’,


how do CISOs do?

CISO at high-value firm scores its security at 2.5 our of 3

CISO at low-value firm scores its security at 2.6 out of 3

high value firms have 4 times as many accidents as low-value firms, with 20 times more valuable data

so, the CISOs think security is okay/same, despite differences in actual accidents at a firm...

Forrester concludes: to understand more objectively how well their security programs perform, enterprises will need better ways of generating key performance indicators and metrics

introduction to the trust economics methodology


Philips curve: inflation versus unemployment


Philips curve: inflation versus unemployment

assume we’re here


weigh inflation and unemployment

UK decides their target combination of

unemployment and inflation


instrument

the central bank has an instrument: interest rate

inflation increases with interest rate

you can solve equations to find out which interest rate is best for a country


instrument: change interest rate

lower interest rate to move to target

© Aad van Moorsel, Newcastle University, 2010

how does this work for security investments?• you want to optimize a utility function combining

confidentiality and availability• you can use as instrument

– more monitoring of employees– more training

would like to use economics’ models• but we have no nice functions for:

– relation availability and confidentiality– monitoring nuisance to employees vs.

confidentiality gain

instead: we build a probabilistic system model to represent these relations (functions), based on techniques and tools developed in CS over past 40 years

20

building a predictive model:

discrete-event dynamic systems

22

information security ontology

first, we define our problem space: ontology

not unlike a dictionary:• a collection of interrelated terms and

concepts that describe and model a domain• expressed in a formal ontology language

(OWL)



simple base example ontology

23

asset

vulnerability

threatcontrol

exploitedby

mitigatedby

on

threatensimplemented

by


simple base example ontology

24

asset

vulnerability

threat

exploitedby

mitigatedby

on

threatensimplemented

by

control


includes human behavioural concerns

Helpdesk Password Reset Management

Transfer

Single Password Memorisation Difficult

Single Password Forgotten

Capability

IT Helpdesk Cannot Satisfy Reset Request

Automated Password Reset System

Additional Helpdesk Staff

Helpdesk Busy

Password Reset Process Laborious

User temporarily without accessUser compliance diminished

Reduction

Reduction

Employee Becomes Impatient

Temporal

User temporarily without access

Helpdesk Provided With Identity Verification Details

User Account Details Stolen

Mindset

Malicious party gains access


system model: places and roles

the model describes how the system moves between states

26


probabilities and distributions

we use probabilities:• represents uncertainty: A or B may happen• represents long run fractions: 60 percent of

time A happens

we also need to represent uncertainty about duration:

• use probability distributions–all possible durations have a probability–sum to 1

27


system model: probabilities and distributions

28

2 in 3 employees next go in transit

when at desk

1 in 3 employees next go to

conference room when at desk

travel to client takes between 45 and 75 minutes,

uniformly spread


rewards define the utility for various states

29

confidentiality penalty if lost in

transit

penalty for employee

losing time with password

availability penalty if slides

cannot be accessed


use powerful tools: Möbius

30


embed these CS tools into joint decision-making tools

objective

decision

making tools


results

if we use a certain instrument (disallow data to be carried unencrypted)

we can now solve these models:• CISO finds out how the employee would respond to

the instrument• based on employee preferences, CISO finds out if it

is beneficial for the company and at what value to set the instrument

• CISO can try other instruments as well

32


results

33

20 50 100 200 5000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

best encryption level employee

best encryption level employee

20 50 100 200 5000

20

40

60

80

100

120

140

utility for company

utility company

the science


trans-disciplinary research

economicspsychology,

social sciences

CS:technology +

modelling


probabilistic/stochastic modelling

Markov/Kolmogorov before WWII did the math base

40 years of CS research:• rare-event problem in

dependability precluded Monte Carlo simulation

• performability and stochastic Petri net tools (Meyer, Trivedi)

• extraordinary advances in tool building: fast algorithms, BDDs, billion states is routine (Sanders, Ciardo)

• ongoing integration with model checking (Haverkort, Kwiatkowska)


rigour through stochastic models

do we make better decisions?

best modellerjudgement

ask specialistsif all right ask CISOs if

decisions arebetter

collect and compiledata and evidence

2005

2015++

the future


trust-economics as design methodology

back to facebook: how to protect your data across all your social network sites?

currently:• OAuth 2.0 and similar protocols:

– make it easy for facebook and others to distribute your data (with your permission)

• we are developing user managed access (UMA):– makes it easy for you to protect your data

UMA is standard effort of Kantara initiative, with PayPal, Sun and others


user managed access

you decide who gets access:

40


user managed access

one possible usage model: facebook and others put UMA button on their site for you to apply access restrictions to data

41


trust economics in the design

predict trade-off between confidentiality and availability

• identify how people would use UMA– to configure access restrictions– to access data

• analyse different design alternatives– UMA button– seamless OAuth access

• model attacks and failure

this is not GUI studythis is not a business case

it’s adding science into the design to consider incentives, habits and trade-offs of multiple

parties42


trust economics research

43

TE methodology

defined

articulatingCISO

perspective

2005 2010

CISO decisionmaking toolsontology

compliancebudget

TE as adesign

methodology

long-termscientificvalidation

HP ViStormbusiness

models forhuman behaviour /

preferences

case studies ++


thanks

Johari, Jamal, Rob, Dee, John, Martin, Christiaan, John, Maciej, Lukasz, Simon, Gemma, Chris, James, Rouaa, Wen, Rachel, Marios, Darek, Dasha

see web site for all their papers (ontologies, CISOs, data collection, modelling, case studies, UMA, ...)

• trust economics projects (TSB, HP and others)• SMART projects (TSB, JISC)• projects with Nigel (EPSRC)

all of you

44

The role of science in cybercrime prevention and computer security inaugural, Jujy 29, 2010 Aad van Moorsel Newcastle University, School of Computing Science.

Documents

motivation slide

security decisions

ciso employees cisos

ciso decisionmaking

security controls

security budgets

ciso responsible

ciso business forrestor