From Situation Awareness to Action: An Information Security Management Toolkit for Socio-technical Security Retrospective and Prospective Analysis

Jean-Louis Huynen, Gabriele Lenzini

2017

Abstract

Inspired by the root cause analysis procedures common in safety, we propose a methodology for a prospective and a retrospective analysis of security and a tool that implements it. When applied prospectively, the methodology guides analysts to assess socio-technical vulnerabilities in a system, helping them to evaluate their choices in designing security policies and controls. But the methodology works also retrospectively. It assists analysts in retrieving the causes of an observed socio-technical attack, guiding them to understand where the information security management of the system has failed. The methodology is tuned to find causes that root in the human-related factors that an attacher can exploit to execute its intrusion.

References

  1. Adams, A. and Sasse, A. (1999). Users Are Not the Enemy. Comm. ACM, 42:40-46.
  2. Anderson, R. J. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley.
  3. Beautement, A., Becker, I., Parkin, S., Krol, K., and Sasse, M. A. (2016). Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS) 2016. USENIX Association: Denver, CO, USA. in press.
  4. Bianco, D. (2014). The pyramid of pain. Available at http://detect-respond.blogspot.lu/2013/03/thepyramid-of-pain.html.
  5. Boring, R. L. (2012). Fifty Years of THERP and Human Reliability Analysis. Proceedings of PSAM11.
  6. Bostock, M., Ogievetsky, V., and Heer, J. (2011). D3: Data-driven documents. Available at http://vis.stanford.edu/papers/d3. IEEE Trans. Visualization & Comp. Graphics (Proc. InfoVis).
  7. Boyd, J. (1995). The essence of winning and losing.
  8. Brumfield, J. (2015). 2015 Data Breach Investigations Report. Technical report, Verizon.
  9. Caralli, R., Stevens, J., Young, L., and Wilson, W. (2007). Introducing octave allegro: Improving the information security risk assessment process. Technical Report CMU/SEI-2007-TR-012, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.
  10. Cotroneo, D., Paudice, A., and Pecchia, A. (2016). Automated root cause identification of security alerts: Evaluation in a SaaS Cloud. Future Generation Computer Systems, 56:375 - 387.
  11. ENISA (2016). Annual Incident Reports 2015. Technical Report October, ENISA - European Union Agency for Network and Information Security.
  12. Ferreira, A., Huynen, J., Koenig, V., and Lenzini, G. (2015). In Cyber-Space No One Can Hear You S·CREAM - A Root Cause Analysis for Socio-Technical Security. In STM, volume 9331 of Lecture Notes in Computer Science, pages 255-264. Springer.
  13. Google (2016). https://angularjs.org/.
  14. Huynen, J. (2016). S·CREAM Assistant, a tool to support S·CREAM analyses. Available at https://github.com/gallypette/SCREAM-Assistant.
  15. International Organization for Standardization, Geneva, S. (2005). ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems - Requirements. Technical report.
  16. Ishikawa, K. and Ishikawa, K. (1988). What is Total Quality Control? the Japanese Way. Prentice Hall.
  17. Js-data Development Team (2016). Js-data. Available at http://www.js-data.io/.
  18. Kasikci, B., Schubert, B., Pereira, C., Pokam, G., and Candea, G. (2015). Failure sketching: A technique for automated root cause diagnosis of in-production failures. In Proceedings of the 25th Symposium on Operating Systems Principles, SOSP 7815, pages 344-360, New York, NY, USA. ACM.
  19. Kirlappos, I., Parkin, S., and Sasse, M. A. (2014). Learning from “shadow security:” why understanding noncompliant behaviors provides the basis for effective security. In Proceedings 2014 Workshop on Usable Security. Internet Society.
  20. MITRE (2014). CAPEC - Common Attack Pattern Enumeration and Classification. Available at https://capec.mitre.org/.
  21. Noureddine, M., Keefe, K., Sanders, W. H., and Bashir, M. (2015). Quantitative security metrics with human in the loop. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 7815, pages 21:1-21:2, New York, NY, USA. ACM.
  22. Reason, J. (1990). Human Error. Cambridge University Press.
  23. Schneier, B. (2014). The future of incident response.
  24. Schoenfisch, J., von St ülpnagel, J., Ortmann, J., Meilicke, C., and Stuckenschmidt, H. (2015). Using abduction in markov logic networks for root cause analysis. CoRR, abs/1511.05719.
  25. Strauch, B. (2004). Investigating Human Error: Incidents, Accidents, and Complex Systems. Ashgate Pub Ltd.
  26. Swain, A., of Nuclear Regulatory Research, U. N. R. C. O., and Guttmann, H. (1980). Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications - Draft Report For Interim Use and Comment. NUREG/CR. U.S. Nuclear Regulatory Commission.
  27. yubico AB (2012). Yubikey security evaluation: Discussion of security properties and best practices. Available at https://www.yubico.com/wpcontent/uploads/2012/10/Security-Evaluationv2.0.1.pdf.
  28. yubico AB (2015). The yubikey manual: Usage, configuration and introduction of basic concepts. Available at https://www.yubico.com/wpcontent/uploads/2015/03/YubiKeyManual v3.4.pdf.
Download


Paper Citation


in Harvard Style

Huynen J. and Lenzini G. (2017). From Situation Awareness to Action: An Information Security Management Toolkit for Socio-technical Security Retrospective and Prospective Analysis . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 213-224. DOI: 10.5220/0006211302130224


in Bibtex Style

@conference{icissp17,
author={Jean-Louis Huynen and Gabriele Lenzini},
title={From Situation Awareness to Action: An Information Security Management Toolkit for Socio-technical Security Retrospective and Prospective Analysis},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={213-224},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006211302130224},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - From Situation Awareness to Action: An Information Security Management Toolkit for Socio-technical Security Retrospective and Prospective Analysis
SN - 978-989-758-209-7
AU - Huynen J.
AU - Lenzini G.
PY - 2017
SP - 213
EP - 224
DO - 10.5220/0006211302130224