Presentation is loading. Please wait.

Presentation is loading. Please wait.

The role of science in cybercrime prevention and computer security inaugural, Jujy 29, 2010 Aad van Moorsel Newcastle University, School of Computing Science.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The role of science in cybercrime prevention and computer security inaugural, Jujy 29, 2010 Aad van Moorsel Newcastle University, School of Computing Science."— Presentation transcript:

1 the role of science in cybercrime prevention and computer security inaugural, Jujy 29, 2010 Aad van Moorsel Newcastle University, School of Computing Science Centre for Cybercrime and Computer Security aad.vanmoorsel@ncl.ac.uk

2 outline 1.motivation 2.CISO decision-making 3.trust economics methodology economics models human aspects 4.vision for the future decision making: science and tools design methodology user managed access example 5.conclusion 2 © Aad van Moorsel, Newcastle University, 2010

3 motivation

4 facebook dangers and controversies 4 © Aad van Moorsel, Newcastle University, 2010

5 facebook decision making what should facebook consider? –the law, or making profits? –ethics, or making profits? –principles, or making profits? –understanding the limitations of the panic button, or political pressure? security decisions combine –technology –psychology –sociology –business –economics 5 © Aad van Moorsel, Newcastle University, 2010

6 facebook panic button 6 © Aad van Moorsel, Newcastle University, 2010

7 security decision-making decisions at various levels: –policy makers: anti-terrorism cybercrime laws and regulations regulating social networks –companies and organisations allow facebook in the workplace? integrate applications across government (g-cloud) –individuals should I order from this web site should I trust this seller 7 © Aad van Moorsel, Newcastle University, 2010

8 the CISO: Chief Information Security Officer

9 CISO responsible for protecting an organisation’s information fascinating job: –technology –threats, crime –organisational politics –risk management –high responsibility how are CISOs doing: –with respect to employees –with respect to business 9 © Aad van Moorsel, Newcastle University, 2010

10 CISO  employees confidentiality – availability trade-off –better protected (confidentiality up) –but you may lose the keys... (availability down) for employees, additionally: –time wasted –privacy 10 © Aad van Moorsel, Newcastle University, 2010

11 CISO  employees CISOs are experienced in trading off confidentiality and availability from company perspective problem: CISO has no objective means to identify and communicate the value and importance of usability for employee need tools that consider employee, but put the CISO and their task at the centre  the tool itself should seem to disappear 11 © Aad van Moorsel, Newcastle University, 2010

12 CISO  business Forrestor finds: 1.secrets comprise two-thirds of information value 2.compliance, not security, drives security budgets 3.focus on preventing accidents, but theft is 10 times costlier 4.more value correlates with more incidents 5.CISOs do not know how effective their security controls are 12 © Aad van Moorsel, Newcastle University, 2010 Forrestor © 2010: ‘The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk’,

13 how do CISOs do? CISO at high-value firm scores its security at 2.5 our of 3 CISO at low-value firm scores its security at 2.6 out of 3 high value firms have 4 times as many accidents as low- value firms, with 20 times more valuable data so, the CISOs think security is okay/same, despite differences in actual accidents at a firm... Forrester concludes: to understand more objectively how well their security programs perform, enterprises will need better ways of generating key performance indicators and metrics 13 © Aad van Moorsel, Newcastle University, 2010

14 introduction to the trust economics methodology

15 Philips curve: inflation versus unemployment 15 © Aad van Moorsel, Newcastle University, 2010

16 Philips curve: inflation versus unemployment 16 © Aad van Moorsel, Newcastle University, 2010 assume we’re here

17 weigh inflation and unemployment 17 © Aad van Moorsel, Newcastle University, 2010 UK decides their target combination of unemployment and inflation

18 instrument 18 © Aad van Moorsel, Newcastle University, 2010 the central bank has an instrument: interest rate inflation increases with interest rate you can solve equations to find out which interest rate is best for a country

19 instrument: change interest rate 19 © Aad van Moorsel, Newcastle University, 2010 lower interest rate to move to target

20 how does this work for security investments? you want to optimize a utility function combining confidentiality and availability you can use as instrument –more monitoring of employees –more training would like to use economics’ models but we have no nice functions for: –relation availability and confidentiality –monitoring nuisance to employees vs. confidentiality gain instead: we build a probabilistic system model to represent these relations (functions), based on techniques and tools developed in CS over past 40 years 20 © Aad van Moorsel, Newcastle University, 2010

21 building a predictive model: discrete-event dynamic systems

22 information security ontology first, we define our problem space: ontology not unlike a dictionary: a collection of interrelated terms and concepts that describe and model a domain expressed in a formal ontology language (OWL) 22 © Aad van Moorsel, Newcastle University, 2010

23 simple base example ontology 23 © Aad van Moorsel, Newcastle University, 2010 asset vulnera bility threat control exploited by mitigated by on threatens implemented by

24 simple base example ontology 24 © Aad van Moorsel, Newcastle University, 2010 asset vulnera bility threat exploited by mitigated by on threatens implemented by control

25 includes human behavioural concerns 25 © Aad van Moorsel, Newcastle University, 2010

26 system model: places and roles the model describes how the system moves between states 26 © Aad van Moorsel, Newcastle University, 2010

27 probabilities and distributions we use probabilities: represents uncertainty: A or B may happen represents long run fractions: 60 percent of time A happens we also need to represent uncertainty about duration: use probability distributions –all possible durations have a probability –sum to 1 27 © Aad van Moorsel, Newcastle University, 2010

28 system model: probabilities and distributions 28 © Aad van Moorsel, Newcastle University, 2010 2 in 3 employees next go in transit when at desk 1 in 3 employees next go to conference room when at desk travel to client takes between 45 and 75 minutes, uniformly spread

29 rewards define the utility for various states 29 © Aad van Moorsel, Newcastle University, 2010 confidentiality penalty if lost in transit penalty for employee losing time with password availability penalty if slides cannot be accessed

30 use powerful tools: Möbius 30 © Aad van Moorsel, Newcastle University, 2010

31 embed these CS tools into joint decision-making tools 31 © Aad van Moorsel, Newcastle University, 2010 objective decision making tools

32 results if we use a certain instrument (disallow data to be carried unencrypted) we can now solve these models: CISO finds out how the employee would respond to the instrument based on employee preferences, CISO finds out if it is beneficial for the company and at what value to set the instrument CISO can try other instruments as well 32 © Aad van Moorsel, Newcastle University, 2010

33 results 33 © Aad van Moorsel, Newcastle University, 2010

34 the science

35 trans-disciplinary research 35 © Aad van Moorsel, Newcastle University, 2010 economics psychology, social sciences CS: technology + modelling

36 probabilistic/stochastic modelling Markov/Kolmogorov before WWII did the math base 40 years of CS research: rare-event problem in dependability precluded Monte Carlo simulation performability and stochastic Petri net tools (Meyer, Trivedi) extraordinary advances in tool building: fast algorithms, BDDs, billion states is routine (Sanders, Ciardo) ongoing integration with model checking (Haverkort, Kwiatkowska) 36 © Aad van Moorsel, Newcastle University, 2010

37 rigour through stochastic models do we make better decisions? 37 © Aad van Moorsel, Newcastle University, 2010 best modeller judgement ask specialists if all right ask CISOs if decisions are better collect and compile data and evidence 2005 2015++

38 the future

39 trust-economics as design methodology back to facebook: how to protect your data across all your social network sites? currently: OAuth 2.0 and similar protocols: –make it easy for facebook and others to distribute your data (with your permission) we are developing user managed access (UMA): –makes it easy for you to protect your data UMA is standard effort of Kantara initiative, with PayPal, Sun and others 39 © Aad van Moorsel, Newcastle University, 2010

40 user managed access you decide who gets access: 40 © Aad van Moorsel, Newcastle University, 2010

41 user managed access one possible usage model: facebook and others put UMA button on their site for you to apply access restrictions to data 41 © Aad van Moorsel, Newcastle University, 2010

42 trust economics in the design predict trade-off between confidentiality and availability identify how people would use UMA –to configure access restrictions –to access data analyse different design alternatives –UMA button –seamless OAuth access model attacks and failure this is not GUI study this is not a business case it’s adding science into the design to consider incentives, habits and trade-offs of multiple parties 42 © Aad van Moorsel, Newcastle University, 2010

43 trust economics research 43 © Aad van Moorsel, Newcastle University, 2010 TE methodology defined articulating CISO perspective 2005 2010 CISO decision making tools ontology compliance budget TE as a design methodology long-term scientific validation HP ViStorm business models for human behaviour / preferences case studies ++

44 thanks Johari, Jamal, Rob, Dee, John, Martin, Christiaan, John, Maciej, Lukasz, Simon, Gemma, Chris, James, Rouaa, Wen, Rachel, Marios, Darek, Dasha see web site for all their papers (ontologies, CISOs, data collection, modelling, case studies, UMA,...) trust economics projects (TSB, HP and others) SMART projects (TSB, JISC) projects with Nigel (EPSRC) all of you 44 © Aad van Moorsel, Newcastle University, 2010

Download ppt "The role of science in cybercrime prevention and computer security inaugural, Jujy 29, 2010 Aad van Moorsel Newcastle University, School of Computing Science."

Similar presentations

Business Ethics for Real Estate: A. Glean

Business Ethics for Real Estate: A. Glean
Grid & performability Aad van Moorsel aadvanmoorsel.com.

Grid & performability Aad van Moorsel aadvanmoorsel.com.
CHAPTER 7 Business Management.

CHAPTER 7 Business Management.
ITIL v3 Overview Rob Goodwin-Davey.

ITIL v3 Overview Rob Goodwin-Davey.
The role of science in cybercrime prevention and computer security SnT Luxembourg, Jujy 14, 2010 Aad van Moorsel Newcastle University, School of Computing.

The role of science in cybercrime prevention and computer security SnT Luxembourg, Jujy 14, 2010 Aad van Moorsel Newcastle University, School of Computing.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
SPECIFYING AND MONITORING GUARANTEES IN COMMERCIAL GRIDS THROUGH SLA Sven Graupner Vijay MachirajuAad van Moorsel IEEE/ACM International Symposium on Clustering.

SPECIFYING AND MONITORING GUARANTEES IN COMMERCIAL GRIDS THROUGH SLA Sven Graupner Vijay MachirajuAad van Moorsel IEEE/ACM International Symposium on Clustering.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Management and Leadership

Management and Leadership
IT ARCHITECTURE © Holmes Miller 1999. BUILDING METAPHOR 3CUSTOMER’S CONCERN Has vision about building that will meet needs and desires 3ARCHITECT’S CONCERN.

IT ARCHITECTURE © Holmes Miller BUILDING METAPHOR 3CUSTOMER’S CONCERN Has vision about building that will meet needs and desires 3ARCHITECT’S CONCERN.
Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.

Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.
Overview of the Multos construction process Chad R. Meiners.

Overview of the Multos construction process Chad R. Meiners.
Chapter 10 Managing the Delivery of Information Services.

Chapter 10 Managing the Delivery of Information Services.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Training.

Training.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Getting Smarter with Information An Information Agenda Approach

Getting Smarter with Information An Information Agenda Approach

Similar presentations

Ads by Google