1. Risk Aware Decision Framework for Trusted Mobile Interactions September 2005 Daniele Quercia and Stephen Hailes CS department University College London {d.quercia,s.hailes}@cs.ucl.ac.uk SECOVAL 2005

2. Daniele Quercia SECOVAL 2005 D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions 2 Outline Mobile software concerns and solutions; Previous work on Trust Management and Expected Utility (EU); Scenario; Composing elements of the model; Analysis of the model.

3. Daniele Quercia3 Introduction Mobile devices need to adapt to changing context. How? They load software (sw) components from each other. D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 Problem: Security concerns when loading sw components (e.g., viral components and components not running as expected).

4. Daniele Quercia4 Conventional Solution Devices accept only digitally signed sw components. That’s acceptable as long as … … #(sw providers) is low; …  globally trustworthy Certification Authority. D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005

5. Daniele Quercia5 Our Proposal A device uses a local decision framework to load software components. D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 model decision-making under uncertainty; integrate user’s risk attitudes; compute risk probabilities from trust mechanisms. Such framework has desirable properties:

6. Daniele Quercia6 Related Work – Trust Management Frameworks Marsh: computational trust concept. Abdul-Rahmal and Hailes: use of recommendations. Mui et al.: reputation concept. D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 formal trust model; risk-based decision module.

7. Daniele Quercia7 Related Work – Expected Utility D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 (a) ACTIONS (b) STATES No Rain Take Umbrella Do not take Umbrella (c) OUTCOME MATRIX Rain No Wet Wet (f) Decision Rule Max Overall Utility Function: Action  Utility (d) Probability Function: State  Probability  (No Rain)  (Rain) (e) Elementary Utility Function: Outcome  Utility u(Wet) u(No Wet)

8. Daniele Quercia8 Scenario: Secure Conference While Alice conferences on the move, her PDA guarantees secure communication across all traversed space. D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 Abstract Situation 123 Component Loader Component Supplier Semantics, Timeframe Details, Service Level Bob Alice

9. Daniele Quercia9 Scenario – Expected Utility Elements D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 (a) ACTIONS (b) STATES CS delivers C within R 1 Take C Do not take C (c) OUTCOME MATRIX CS delivers C within R 2 CS delivers C within R 3 Ask User Carry on seamles- sly Carry on with limited disruptions Give up Alice interacts with GUI (f) Decision Rule (d) Probability Function (e) Elementary Utility Function

10. Daniele Quercia10 D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 (f) Decision Rule IN: - actions - nearby component suppliers. OUT:max of expected utility.  action a and component supplier h, the expected utility is outcome utility state probability

11. Daniele Quercia11 D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 (e) Elementary Utility Function o value(o) utility(o) Logarithmic elementary utility function (user attitudes are risk-averse). To enhance tractability, 2 order Taylor approximation We determine the application dimensions (e.g., absence of disruptions, spared user time, security gap) i th dimension importance factors: w i (user preferences); D i (o) (function of outcome and application).

12. Daniele Quercia12 D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005 (d) Probability Function  h (s): component loader’s belief that a certain state s will take place when interacting with the component provider h. Component loader receives Service Level= (d p, Confidence Level (CL)) computes each state probability (for a given h):  We need  and  :  Trust and  CL   Uncertainty   

13. Daniele Quercia13 Discussion Uncertainty is … …source of risks; …reduced through assurance (e.g, devices load only provable authored software) and trust (e.g., devices rely on trustworthiness assessments to make informed decisions). Assurance-based approaches are preferable, but not always possible! D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005

14. Daniele Quercia14 Conclusion We have proposed a conceptual model of decision- making for software component loading, which… …integrates trust mechanisms and risk assessment; …consider user risk attitudes. Assumptions to be relaxed: constant risk-averse preferences; normal distribution for probability function. D. Quercia and S. HailesRisk Aware Decision Framework for Trusted Mobile Interactions SECOVAL 2005