Matthew L. Hale

SecAgreement: Advancing Security Risk Calculations in Cloud Services

By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.

SEREBRO: facilitating student project team collaboration

In this demonstration, we show SEREBRO, a lightweight courseware developed for student team collaboration in a software engineering class. SEREBRO couples an idea forum with software project management tools to maintain cohesive interaction between team discussion and resulting work products, such as tasking, documentation, and version control. SEREBRO has been used consecutively for two years of software engineering classes. Student input and experiments on student use in these classes has directed SERBRO to its current functionality.

Building a Compliance Vocabulary to Embed Security Controls in Cloud SLAs

Mission critical information systems must be certified against a set of security controls to mitigate potential security incidents. Cloud service providers must in turn employ adequate security measures that conform to security controls expected by the organizational information systems they host. Since service implementation details are abstracted away by the cloud, organizations can only rely on service level agreements (SLAs) to assess the compliance of cloud security properties and processes. Various representation schema allow SLAs to embed service security terms, but are disconnected from documents regulating security controls. This paper demonstrates an extensible solution for building a compliance vocabulary that associates SLA terms with security controls. The terms allow services to express which security controls they comply with and enable at-a-glance comparison of security service offerings so organizations can distinguish among cloud service providers that best comply with security expectations. To exemplify the approach, we build a sample vocabulary of terms based on audit security controls from a standard set of governing documents and apply them to an SLA for an example cloud storage service. We assess the compatibility with existing SLAs and calculate the computational overhead associated with the use of our approach in service matchmaking.

Risk propagation of security SLAs in the cloud

For organizations with mission critical systems, moving data or functionality to the cloud introduces a risk of additional exposed vulnerabilities associated with cloud service providers not implementing organizationally selected security controls. When internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings for security risk. Whenever an SLA is formed, the level of risk incurred is based on how well the offered service terms meet the organizational security demands. In the cloud, additional SLAs between third party cloud service providers are formed to federate cloud resources, effectively distributing organizational risk among the various providers involved in the negotiated federations or service compositions. At runtime, whenever a cloud or service violates its SLA with respect to security controls or cancels any security offerings, the risk of noncompliance with organizational security policies increases. This paper provides a process to adapt to the propagated changes of service provider security risks within a service composition or federation due to SLA violations. The process is based on a distributed risk-aware renegotiation algorithm that replaces services if they violate SLAs.

CyberPhishing: A Game-Based Platform for Phishing Awareness Testing

Phishing attacks sap billions of dollars annually from unsuspecting individuals while compromising individual privacy. Companies and privacy advocates seek ways to better educate the populace against such attacks. Current approaches examining phishing include test-based techniques that ask subjects to classify content as phishing or not and inthe- wild techniques that directly observe subject behavior through distribution of faked phishing attacks. Both approaches have issues. Test-based techniques produce less reliable data since subjects may adjust their behavior with the expectation of seeing phishing stimuli, while in-the-wild studies can put subjects at risk through lack of consent or exposure of data. This paper examines a third approach that seeks to incorporate game-based learning techniques to combine the realism of in-thewild approaches with the training features of testing approaches. We propose a three phase experiment to test our approach on our CyberPhishing simulation platform, and present the results of phase one.

Assessing individual performance in Agile undergraduate software engineering teams

The Agile Software Development (ASD) process is at the forefront of rapid product development driven by changing customer requirements and a trusted, self-organizing development team. Scrum has become a viable model of ASD focusing on determining immediate deliverables and structuring short timelines, called Sprints, for designing, implementing, and providing them for testing by the customer. While these practices are being adopted by organizations, there is significant difficulty in scaling them to the classroom. Once in place, it is a complex task to evaluate individual student performance based solely on the product outcome and Sprint grade. Thus, there is limited opportunity to catch performance problems that may lead to missing deliverable deadlines or decreasing team trust. In this paper, we impose ASD using Scrum on a senior software projects course in Computer Science. Using a collaborative environment that embeds a social network, project management modules, and event capture system, we perform broad data and event capture and analysis to investigate metrics that are relevant to assessing individual performance aspects related to functioning on an Agile team for software development. Our results suggest that predictive data is available after each Sprint to ascertain individual performance attributes and their relationship to product outcomes.

Predicting individual performance in student project teams

Due to the critical role of communication in project teams, capturing and analyzing developer design notes and conversations for use as performance predictors is becoming increasing important as software development processes become more asynchronous. Current prediction methods require human Subject Matter Experts (SME) to laboriously examine and rank user content along various categories such as participation and the information they express. SEREBRO is an integrated courseware tool that captures social and development artifacts automatically and provides real time rewards, in the form of badges and titles, indicating a users progress towards predefined goals using a variety of automated assessment measures. The tool allows for instructor visualization, involvement, and feedback in the ongoing projects and provides avenues for the instructor to adapt or adjust project scope or individual role assignments based on past or current individual performance levels. This paper evaluates and compares the use of two automated SEREBRO measures with SME content-based analysis and work product grades as predictors of individual performance. Data is collected from undergraduate software engineering teams using SEREBRO, whose automated measures of content and contribution perform as well as SME ratings and grades to suggest individual performance can be predicted in real-time.

Analyzing the role of tags as lightweight traceability links

Tagging offers a traceability mechanism for software development by connecting artifacts in a meaningful way. Our integrated courseware, SEREBRO, provides a framework of tools that capture conversation and artifact creation and modification throughout the software development lifecycle by student team members developing non-trivial software products in a Software Engineering course. Using a data driven approach, we investigate the use of lightweight tagging mechanisms applied by student software project teams and present some preliminary results of this investigation.

Security policy foundations in context UNITY

Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

Toward Increasing Awareness of Suspicious Content through Game Play

Phishing, elicitation, and impersonation techniques are performed using multiple forms, targeting content specific to the delivery modality, such as email, social media, and general browser communications. Education to increase awareness is one mechanism to combat phishing. Average email and internet users are less attentive to media warnings and training materials provided by employers than they are in interactive environments. In this paper, we overview a game concept that immerses users in a role play challenge where they must send email, use social media, and browse the web and determine whether content received within these modalities is trustworthy or not. The game, built as a Javascript framework, simulates phishing scams, measures trust and suspicion levels, and individualizes training for users. The game architecture employs components that facilitate dynamic content generation in each of the modalities, customize experiment design for specific assessment and training, and perform sophisticated tracking for automated analysis of user trust content assessments. We discuss the game content, the specific requirements the game must comply with, and the experiments to be conducted using the game.