Dan Ionita

Argumentation-based security requirements elicitation: the next round

Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.

Threat navigator: grouping and ranking malicious external threats to current and future urban smart grids

Deriving value judgements about threat rankings for large and entangled systems, such as those of urban smart grids, is a challenging task. Suitable approaches should account for multiple threat events posed by different classes of attackers who target system components. Given the complexity of the task, a suitable level of guidance for ranking more relevant and filtering out the less relevant threats is desirable. This requires a method able to distill the list of all possible threat events in a traceable and repeatable manner, given a set of assumptions about the attackers. The Threat Navigator proposed in this paper tackles this issue. Attacker profiles are described in terms of Focus (linked to Actor-to-Asset relations) and Capabilities (Threat-to-Threat dependencies). The method is demonstrated on a sample urban Smart Grid. The ranked list of threat events obtained is useful for a risk analysis that ultimately aims at finding cost-effective mitigation strategies.

Tangible modelling to elicit domain knowledge: an experiment and focus group

Conceptual models represent social and technical aspects of the world relevant to a variety of technical and non-technical stakehold- ers. To build these models, knowledge might have to be collected from domain experts who are rarely modelling experts and don’t usually have the time or desire to learn a modelling language. We investigate an app- roach to overcome this challenge by using physical tokens to represent the conceptual model. We call the resulting models tangible models. We illustrate this idea by creating a tangible representation of a socio- technical modelling language and provide initial evidence of the relative usability and utility of tangible versus abstract modelling. We discuss psychological and social theories that could explain these observations and discuss generalizability and scalability of the approach.

Using Value Models for Business Risk Analysis in e-Service Networks

Commercially provided electronic services commonly operate on top of a complex, highly-interconnected infrastructure, which provides a multitude of entry points for attackers. Providers of e-services also operate in dynamic, highly competitive markets, which provides fertile ground for fraud. Before a business idea to provide commercial e-services is implemented in practice, it should therefore be analysed on its fraud potential.

Value-driven risk analysis of coordination models

Coordination processes are business processes that involve independent profit-and-loss responsible business actors who collectively provide something of value to a customer. Coordination processes are meant to be profitable for the business actors that execute them. However, because business actors are independent, there is also an increased risk of fraud. To compute profitability as well as quantify the risk of fraud, we need to attach value models to coordination process models. In this paper, we propose guidelines for deriving a value model from any coordination process model. Next, we show how our approach can be used to identify possibilities of fraud offered by a coordination process, as well as quantify the financial impact of known fraudulent processes. Finally, we discuss additional applications, such as identifying commercially superfluous tasks, or missing tasks needed to achieve a financially sustainable process.

ArgueSecure: Out-of-the-Box Security Risk Assessment

Most established security risk assessment methodologies aim to produce ranked lists of risks. But ranking requires quantification of risks, which in turn relies on data which may not be available or estimations which might not be accurate. As an alternative, we have previously proposed argumentation-based risk assessment. In this paper, based on practitioner feedback, we introduce the latest iteration of this method accompanied by two dedicated tools: an online, collaborative web-portal and an offline version. We focus on the lessons learned in iteratively developing and evaluating these tools and the underlying framework. This new framework – called ArgueSecure – focuses on graphically modelling the risk landscape as a collapsible tree. This tree structure intuitively encodes argument traces, therefore maintaining traceability of the results and providing insight into the decision process.

Automated Identification and Prioritization of Business Risks in e-service Networks

Modern e-service providers rely on service innovation to stay relevant. Once a new service package is designed, implementation-specific aspects such as value (co-)creation and cost/benefit analysis are investigated. However, due to time-to-market or competitive advantage constraints, innovative services are rarely assessed for potential risks of fraud before they are put out on the market. But these risks may result in loss of economic value for actors involved in the e-service’s provision. Our e3fraude3fraud approach automatically generates and prioritizes undesired-able scenarios from a business value model of the e-service, thereby drastically reducing the time needed to conduct an assessment. We provide examples from telecom service provision to motivate and illustrate the utility of the tool.

Model-Driven Information Security Risk Assessment of Socio-Technical Systems

As more aspects of life transition to the digital domain, computer systems become increasingly complex but also more social. But assessing a socio-technical system is no trivial task: it often requires intimate knowledge of the system, awareness of the social dynamics and trust relationships of its users, a deep understanding of both hardware and software, as well as the ability to quantify risks, communicate security policies and engage stakeholders. Conceptual models, as tools designed to help make sense of complex issues, can help with some of these problems. This dissertation explores the role of conceptual models in assessing risks related to the development and operation of socio-technical systems. I propose several model-driven modelling and analysis approaches which can be used stand-alone but can also augment existing risk management processes. The approaches are centered on three modelling paradigms not traditionally used in risk management. I use Tangible modelling, i.e. “physical” modeling using graspable three-dimensional tokens, to facilitate the collaborative modelling of socio-technical systems. I find it has beneficial effects on the quality of the resulting models when the modellers, especially when some of the modelers have a technical background. I use argumentation modelling, i.e. recording the rationale behind claims can support the security decision-making process, to support the security decision-making process. I find that structuring the risk assessment as a set of arguments forces risk assessors to make their assumptions explicit and that maintaining a mapping between risks and countermeasures increases the defensibility of the resulting security requirements. I use value modelling, i.e. understanding the value transfers which underpin any commercial information system, to quantify risks, identify vulnerabilities to fraud, and rationalize processes. I propose an ontological and procedural extension to automate this process.

Threat Analysis in Systems-of-Systems: An Emergence-Oriented Approach

Cyber-physical Systems of Systems (SoSs) are large-scale systems made of independent and autonomous cyber-physical Constituent Systems (CSs) which may interoperate to achieve high-level goals also with the intervention of humans. Providing security in such SoSs means, among other features, forecasting and anticipating evolving SoS functionalities, ultimately identifying possible detrimental phenomena that may result from the interactions of CSs and humans. Such phenomena, usually called emergent phenomena, are often complex and difficult to capture: the first appearance of an emergent phenomenon in a cyber-physical SoS is often a surprise to the observers. Adequate support to understand emergent phenomena will assist in reducing both the likelihood of design or operational flaws, and the time needed to analyze the relations amongst the CSs, which always has a key economic significance. This article presents a threat analysis methodology and a supporting tool aimed at (i) identifying (emerging) threats in evolving SoSs, (ii) reducing the cognitive load required to understand an SoS and the relations among CSs, and (iii) facilitating SoS risk management by proposing mitigation strategies for SoS administrators. The proposed methodology, as well as the tool, is empirically validated on Smart Grid case studies by submitting questionnaires to a user base composed of 3 stakeholders and 18 BSc and MSc students.

Outlining an ‘Evaluation continuum’: Structuring evaluation methodologies for infrastructure-related decision making tools

Validation of tools to support decisions on infrastructures evolutions should account for the context of their future use. Thus, the role of evaluation constructs is very important, because it identifies the operational context of a power grid. This paper reviews relevant evaluation methods that focus on partnership, collaborative planning, tool-supported collaborative planning, and individual decisions. We propose a structure called ‘Evaluation Continuum’ that embraces the methods. This paper aims to provide readers with a way to account for constructs relevant for validating tools. The outlined ‘Evaluation continuum’ can be used for planning gaming simulations and stakeholder workshops. It can be also useful for devising questionnaires for such sessions.