Analysing the Efficacy of Security Policies in Cyber-Physical Socio-Technical Systems

A crucial question for an ICT organization wishing to improve its security is whether a security policy together with physical access controls protects from socio-technical threats. We study this question formally. We model the information flow defined by what the organization's employees do (copy, move, and destroy information) and propose an algorithm that enforces a policy on the model, before checking against an adversary if a security requirement holds

Modelling and validation of social influences in human security behaviour

PhD ThesisA major challenge for organisations is effectively implementing security policies where employees have a choice to comply. For instance, an organisational requirement such as no unauthorisedpersonnelinrestrictedareasmayhaveapolicystatingauthorisedpersonsmust wearidentificationbadgesand,therefore,placestheonusonemployeestomakeachoiceand have the responsibility of wearing their badge. Existing literature in psychology and human factors in security tells us that a person’s compliance behaviour for a security policy depends on their compliance attitude. For the organisation, there exists uncertainty for quantifying compliance attitudes of employees towards security policies where those employees have a choice to comply. Quantifying the compliance attitudes would allow an organisation to further establish its current risk environment. In the case of not wearing identification badges due to poor compliance attitudes, it would be challenging to identify unauthorised personnel and the organisational requirement would not be met. A person’s compliance behaviour depends on their compliance attitude which itself depends on the compliance behaviourofthemselvesandofothers. Forexample,thecompliancebehaviourfromtop-level management can influence others to be non compliant. This thesis poses the question how couldonequantifycomplianceattitudesforsecuritypoliciesinanorganisationwherepeople can observe other people’s compliance behaviour. This thesis contributes the following: 1) modelling of social influences in Coloured Petri Nets 2) a rule based model to represent agents that observe the actions of other agents 3) the application of machine learning to identify hidden compliance attitudes 4) a user study with behavioural interventions towards securitypolicycompliance5)asimulationtoolforassessinghowcomplianceattitudesevolve amongst agents 6) validation of the simulation tool by comparison to the empirical data from the user study. Overall, we believe that this thesis provides a holistic approach towards social influences over compliance attitudes and the simulation tool paves the way towards accurately assessing compliance attitudes for security policies