Presentation is loading. Please wait.

Presentation is loading. Please wait.

The role of science in cybercrime prevention and computer security SnT Luxembourg, Jujy 14, 2010 Aad van Moorsel Newcastle University, School of Computing.

Similar presentations


Presentation on theme: "The role of science in cybercrime prevention and computer security SnT Luxembourg, Jujy 14, 2010 Aad van Moorsel Newcastle University, School of Computing."— Presentation transcript:

1 the role of science in cybercrime prevention and computer security SnT Luxembourg, Jujy 14, 2010 Aad van Moorsel Newcastle University, School of Computing Science Centre for Cybercrime and Computer Security

2 motivation

3 3 © Aad van Moorsel, Newcastle University, 2010

4 example of the sort of problems 4 © Aad van Moorsel, Newcastle University, 2010

5 example of the sort of problems 5 © Aad van Moorsel, Newcastle University, 2010 economic motivation blame the user hacker’s motivation shift economic accountability

6 the role of science in cybercrime and security –some exasperation: “so much trouble, so few improvements” –in US as well as EU: looking for science to help find resolutions –personal interest own research cybercrime centre’s research what is science? –use of the scientific method: falsifiable conclusions –use of scientific techniques: mathematics, rigorous engineering tools, rigorous social science methods 6 © Aad van Moorsel, Newcastle University, 2010

7 holding us back: requiring technological perfection 7 © Aad van Moorsel, Newcastle University, 2010

8 holding us back: blaming the human 8 © Aad van Moorsel, Newcastle University, 2010

9 holding us back: convoluted (economic) incentives 9 © Aad van Moorsel, Newcastle University, 2010

10 Newcastle Cybercrime Centre research strands risk management & communication secure networked business useable security computer- aided forensics law enforceme nt citizens and families policy makers businesses

11 my group: risk management & communication risk management & communication law enforcement citizens and families policy makers businesses objective security investments using mathematical models for ‘trust economics’ research how to educate in security, how people react to fraud cues in web sites user interfaces to show dangers and quantify risks in intuitive manner

12 policy decision-making — the trust economics methodology

13 security decision-making decisions at various levels: –policy makers: anti-terrorism cybercrime laws and regulations regulating social networks –companies and organisations allow facebook in the workplace? integrate applications across government (g-cloud) –individuals should I order from this web site should I trust this seller 13 © Aad van Moorsel, Newcastle University, 2010

14 the CISO: Chief Information Security Officer

15 Forrester report 2010 in ‘The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk’, Forrestor finds: 1.secrets comprise two-thirds of information value 2.compliance, not security, drives security budgets 3.focus on preventing accidents, but theft is 10 times costlier 4.more value correlates with more incidents 5.CISOs do not know how effective their security controls are 15 © Aad van Moorsel, Newcastle University, 2010

16 the value of top-five data assets 16 © Aad van Moorsel, Newcastle University, 2010 in the knowledge industry about 70% of this is secrets, 30% custodial data (credit card, customer data, etc)

17 compliance drives budgets, but doesn’t protect secrets 17 © Aad van Moorsel, Newcastle University, 2010

18 most incidents are employee accidents 18 © Aad van Moorsel, Newcastle University, % of incidents is insider (accident or theft)

19 but thefts are much more costly than accidents 19 © Aad van Moorsel, Newcastle University, 2010

20 do CISOs know? CISO at high-value firm scores its security at 2.5 our of 3 CISO at low-value firm scores its security at 2.6 out of 3 high value firms have 4 times as many accidents as low- value firms, with 20 times more valuable data so, the CISOs seem to think security is okay/same, despite differences in actual accidents at a firm... Forrester concludes: to understand more objectively how well their security programs perform, enterprises will need better ways of generating key performance indicators and metrics 20 © Aad van Moorsel, Newcastle University, 2010

21 introduction to the trust economics methodology

22 trust economics methodology for security decisions 22 stakeholders discuss a model of the information system trade off: legal issues, human tendencies, business concerns,... © Aad van Moorsel, Newcastle University, 2010

23 trust economics research from the trust economics methodology, the following research follows: 1.identify human, business and technical concerns 2.develop and apply mathematical modelling techniques 3.glue concerns, models and presentation together using a trust economics information security ontology 4.use the models to improve the stakeholders discourse and decisions 23 © Aad van Moorsel, Newcastle University, 2010

24 defining the problem space: information security ontology including human behavioural and economic aspects

25 ontologies not unlike a dictionary: a collection of interrelated terms and concepts that describe and model a domain expressed in a formal ontology language (OWL) aim: define the problem space share knowledge between humans underlying the tools we build: integrate 25 © Aad van Moorsel, Newcastle University, 2010

26 26 © Aad van Moorsel, Newcastle University, 2010 security ontology: relationships Fentz, ASIACCS’09, Formalizing Information Security Knowledge

27 security ontology: example of fire threat 27 © Aad van Moorsel, Newcastle University, 2010 Fentz, ASIACCS’09, Formalizing Information Security Knowledge

28 human-behavioural aspects in the ontology 28 © Aad van Moorsel, Newcastle University, 2010

29 ontology – password policy example 29 © Aad van Moorsel, Newcastle University, 2010

30 example – password memorisation 30 © Aad van Moorsel, Newcastle University, 2010

31 example – recall methods 31 © Aad van Moorsel, Newcastle University, 2010

32 example – password reset function 32 © Aad van Moorsel, Newcastle University, 2010

33 conclusion ontologies scientific rigour through ontologies: 1.ontology defines the problem and solution space: –information security decision making –trust economics methodology 2.ontology includes human–behavioural aspects 3.ontology has been abstracted so that CISO can easily edit the ontology 4.web-based collaborative security knowledge based on ontology –together with SBA, Austria 5.foundation of software tools 33 © Aad van Moorsel, Newcastle University, 2010

34 probabilistic system models

35 optimize utility the central bank has an instrument, call it I, the interest rate inflation is a function of I unemployment is a function of inflation the best for a country is some weighted sum of unemployment and inflation you can solve the equation to find out which I is best for a country 35 © Aad van Moorsel, Newcastle University, 2010

36 how does this work for security investments? you want to optimize a utility function combining confidentiality and availability you can set the value of I, the instrument –more monitoring of employees –more training but we have no nice functions for: –monitoring employees versus improved confidentiality –perturbations of confidentiality over time –relation availability and confidentiality instead: we build a probabilistic system model to represent these relations (functions), based on techniques and tools developed in CS over past 40 years 36 © Aad van Moorsel, Newcastle University, 2010

37 system model the model describes how the system moves between states 37 © Aad van Moorsel, Newcastle University, 2010

38 probabilities and distributions we use probabilities: represents uncertainty: A or B may happen represents long run fractions: 60 percent of time A happens we also need to represent uncertainty about duration: use probability distributions –all possible durations have a probability –sum to 1 38 © Aad van Moorsel, Newcastle University, 2010

39 system model: probabilities and distributions 39 © Aad van Moorsel, Newcastle University, in 3 employees next go in transit when at desk 1 in 3 employees next go to conference room when at desk travel to client takes between 45 and 75 minutes, uniformly spread

40 stochastic system model (in Möbius) 40 © Aad van Moorsel, Newcastle University, 2010

41 human behaviour trust economics system models are yet more complicated: –not only overall objective, but also for individual participants: human score function take all the human scoring functions together and determine which encryption level users will apply, for each investment level plug that in the model, and solve it for confidentiality/availability utility function 41 © Aad van Moorsel, Newcastle University, 2010

42 some results a company can invest in more help desk staff, or more monitoring employees  which of two investments makes little difference if investment increases, one would expect increase in user encrypting  not gradual, sudden sharp increase at some investment level one would expect the user to change its proportion of encryption  optimal proportion seems to be always 0 or 1 42 © Aad van Moorsel, Newcastle University, 2010

43 confidentiality/availability utility investment horizontally, encryption probability vertical, linear conf/avail utility function as some slides back 43 © Aad van Moorsel, Newcastle University, 2010

44 a tool for CISOs

45 45 © Aad van Moorsel, Newcastle University, 2010

46 a tool for CISOs 46 © Aad van Moorsel, Newcastle University, 2010

47 a tool for CISOs 47 © Aad van Moorsel, Newcastle University, 2010

48 a tool for CISOs 48 © Aad van Moorsel, Newcastle University, 2010

49 conclusion system models science of system models: rigorous mathematical techniques for prediction scientifically founded input from human behavioural experts scientific care is taken in not overstating its conclusions better decision-making: for CISOs and in the future: for policy makers for users 49 © Aad van Moorsel, Newcastle University, 2010

50 trust economics results thus far case study for USB use to demonstrate the idea (HP et al) refinements of modelling human behaviour (with UIUC) ontology developed to glue pieces together CISO tool design completed and tool building started (with UCL) data collection strategies are being developed (with DWP) now developing trust economics as a design methodology (with UMA standards body) and to indicate it’s for real: industrial strength ‘security analytics’ consulting tools have just been released by HP/ViStorm: for patching strategies and data loss prevention 50 © Aad van Moorsel, Newcastle University, 2010

51 trust economics info Publications: A Stealth Approach to Usable Security: Helping IT Security Managers to Identify Workable Security Solutions. Simon Parkin, Aad van Moorsel, Philip Inglesant, Angela Sasse, New Security Paradigms Workshop, 2010 Ontology Editing Tool for Information Security and Human Factors Experts. John Mace, Simon Parkin, Aad van Moorsel, Knowledge Management and Information Sharing, 2010 An Information Security Ontology Incorporating Human-Behavioural Implications. Simon Parkin, Aad van Moorsel, Robert Coles. International Conference on Security of Information and Networks, 2009 Risk Modelling of Access Control Policies with Human-Behavioural Factors. Simon Parkin and Aad van Moorsel. International Workshop on Performability Modeling of Computer and Communication Systems, A Knowledge Base for Justified Information Security Decision-Making. Daria Stepanova, Simon Parkin, Aad van Moorsel. International Conference on Software and Data Technologies, Architecting Dependable Access Control Systems for Multi-Domain Computing Environments. Maciej Machulak, Simon Parkin, Aad van Moorsel. Architecting Dependable Systems VI, R. De Lemos, J. Fabre C. Gacek, F. Gadducci and M. ter Beek (Eds.), Springer, LNCS 5835, pp. 49—75, Trust Economics Feasibility Study. Robert Coles, Jonathan Griffin, Hilary Johnson, Brian Monahan, Simon Parkin, David Pym, Angela Sasse and Aad van Moorsel. Workshop on Resilience Assessment and Dependability Benchmarking, The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies. Simon Parkin, Rouaa Yassin-Kassab and Aad van Moorsel. International Service Availability Symposium, Technical reports: Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications. Maciej Machulak, Aad van Moorsel. CS-TR 1191, 2010 Use Cases for User-Centric Access Control for the Web, Maciej Machulak, Aad van Moorsel. CS-TR 1165, 2009 A Novel Approach to Access Control for the Web. Maciej Machulak, Aad van Moorsel. CS-TR 1157, 2009 Proceedings of the First Trust Economics Workshop. Philip Inglesant, Maciej Machulak, Simon Parkin, Aad van Moorsel, Julian Williams (Eds.). CS-TR 1153, A Trust-economic Perspective on Information Security Technologies. Simon Parkin, Aad van Moorsel. CS-TR 1056, © Aad van Moorsel, Newcastle University, 2010


Download ppt "The role of science in cybercrime prevention and computer security SnT Luxembourg, Jujy 14, 2010 Aad van Moorsel Newcastle University, School of Computing."

Similar presentations


Ads by Google