Improving Security Policy Decisions with Models

Security managers face the challenge of designing security policies that deliver the objectives required by their organizations. We explain how a rigorous methodology, grounded in mathematical systems modelling and the economics of decision-making, can be used to explore the operational consequences of their design choices and help security managers to make better decisions. The methodology is based on constructing executable system models that illustrate the effects of different policy choices. Models are designed to be composed, allowing complex systems to be expressed as combinations of smaller, complete models. They capture the logical and physical structure of systems, the choices and behavior of agents within the system, and the security managers' preferences about outcomes. Models are parameterized from observations of the real world and the effectiveness of different security policies is explored through simulation. Utility theory is used to describe the extent to which security managers' policies deliver their security objectives.Improving Security Policy Decisions with Model

Why (and How) Networks Should Run Themselves

The proliferation of networked devices, systems, and applications that we depend on every day makes managing networks more important than ever. The increasing security, availability, and performance demands of these applications suggest that these increasingly difficult network management problems be solved in real time, across a complex web of interacting protocols and systems. Alas, just as the importance of network management has increased, the network has grown so complex that it is seemingly unmanageable. In this new era, network management requires a fundamentally new approach. Instead of optimizations based on closed-form analysis of individual protocols, network operators need data-driven, machine-learning-based models of end-to-end and application performance based on high-level policy goals and a holistic view of the underlying components. Instead of anomaly detection algorithms that operate on offline analysis of network traces, operators need classification and detection algorithms that can make real-time, closed-loop decisions. Networks should learn to drive themselves. This paper explores this concept, discussing how we might attain this ambitious goal by more closely coupling measurement with real-time control and by relying on learning for inference and prediction about a networked application or system, as opposed to closed-form analysis of individual protocols

Trust economics feasibility study

We believe that enterprises and other organisations currently lack sophisticated methods and tools to determine if and how IT changes should be introduced in an organisation, such that objective, measurable goals are met. This is especially true when dealing with security-related IT decisions. We report on a feasibility study, Trust Economics, conducted to demonstrate that such methodology can be developed. Assuming a deep understanding of the IT involved, the main components of our trust economics approach are: (i) assess the economic or financial impact of IT security solutions; (ii) determine how humans interact with or respond to IT security solutions; (iii) based on above, use probabilistic and stochastic modelling tools to analyse the consequences of IT security decisions. In the feasibility study we apply the trust economics methodology to address how enterprises should protect themselves against accidental or malicious misuse of USB memory sticks, an acute problem in many industries

Supporting security-oriented, collaborative nanoCMOS electronics research

Grid technologies support collaborative e-Research typified by multiple institutions and resources seamlessly shared to tackle common research problems. The rules for collaboration and resource sharing are commonly achieved through establishment and management of virtual organizations (VOs) where policies on access and usage of resources by collaborators are defined and enforced by sites involved in the collaboration. The expression and enforcement of these rules is made through access control systems where roles/privileges are defined and associated with individuals as digitally signed attribute certificates which collaborating sites then use to authorize access to resources. Key to this approach is that the roles are assigned to the right individuals in the VO; the attribute certificates are only presented to the appropriate resources in the VO; it is transparent to the end user researchers, and finally that it is manageable for resource providers and administrators in the collaboration. In this paper, we present a security model and implementation improving the overall usability and security of resources used in Grid-based e-Research collaborations through exploitation of the Internet2 Shibboleth technology. This is explored in the context of a major new security focused project at the National e-Science Centre (NeSC) at the University of Glasgow in the nanoCMOS electronics domain

The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences

Current smartphone operating systems regulate application permissions by prompting users on an ask-on-first-use basis. Prior research has shown that this method is ineffective because it fails to account for context: the circumstances under which an application first requests access to data may be vastly different than the circumstances under which it subsequently requests access. We performed a longitudinal 131-person field study to analyze the contextuality behind user privacy decisions to regulate access to sensitive resources. We built a classifier to make privacy decisions on the user's behalf by detecting when context has changed and, when necessary, inferring privacy preferences based on the user's past decisions and behavior. Our goal is to automatically grant appropriate resource requests without further user intervention, deny inappropriate requests, and only prompt the user when the system is uncertain of the user's preferences. We show that our approach can accurately predict users' privacy decisions 96.8% of the time, which is a four-fold reduction in error rate compared to current systems.Comment: 17 pages, 4 figure

Development of a Methodology for the Economic Assessment of Managerial Decisions as a Factor of Increased Economic Security

The article notes that the emergence of such a phenomenon as the interdependence of security and development, the so-called security-development nexus, becomes a determinant during the development of strategic documents at all hierarchical levels. It gives relevance to the search for methodological solutions that would on a strategic level take into account any potential threats to economic security, and on a tactical level provide for pragmatic actions that are not in conflict with the strategic development vector of business entities. The authors identify the instability factors that pose a real threat to economic security. They substantiate the expediency of forming a new model of the national economy development with a focal point on new industrialization. The article factors in the most important trends in the development of the global economy that determine the strategic vector of enhancing the economic security in Russia. It is ascertained that in the conditions of new industrialization, the intellectual core of the high-tech economy sector is formed by convergent technologies (NBICS technologies). The authors offer a methodological approach to the economic assessment of managerial decisions in the context of uncertainty. They also identify methodological principles that must be taken into account in developing a modern methodology for the economic assessment of business decisions. The principles include forming a preferred reality, or the so-called “vision of the future,” the priority of network solutions as the basis for the formation of new markets; mass customization and individualization of demands, principal changes in the profile of competences that ensure competitiveness on the labor market, use of the ideology of inclusive development and impact investment that creates common values. The proposed methodology is based on the optimum combination of traditional methods used for the economic assessment of managerial decisions with the method of real options and reflexive assessments with regard to entropy as a measure of uncertainty. The proposed methodological approach has been tested in respect of the Ural mining and metallurgical complex.The article has been prepared with the support of the grant from the Russian Foundation for Basic Research № 16–06–00403 "Modelling the Motivational Potentials of the Multi-subject Industrial Policy in the Context of New Industrialization"

Lower Mekong Portfolio: Interim Evaluation

This report summarizes a portfolio evaluation of the MacArthur Foundation's conservation investments in the Lower Mekong region since 2011. It is explicitly a portfolio-level evaluation, focusing on common themes rather than individual grants. The evaluation involved understanding the portfolio context through reviewing relevant documents and speaking with donor partners; gathering data from MacArthur grantees; calibrating initial evaluation findings through consultations with independent regional experts and donor partner grantees; improving future evaluation ability by cooperating with NatureServe to improve the Lower Mekong Dashboard; and presenting results in this evaluation report and to MacArthur directly

Passenger Flows in Underground Railway Stations and Platforms, MTI Report 12-43

Urban rail systems are designed to carry large volumes of people into and out of major activity centers. As a result, the stations at these major activity centers are often crowded with boarding and alighting passengers, resulting in passenger inconvenience, delays, and at times danger. This study examines the planning and analysis of station passenger queuing and flows to offer rail transit station designers and transit system operators guidance on how to best accommodate and manage their rail passengers. The objectives of the study are to: 1) Understand the particular infrastructural, operational, behavioral, and spatial factors that affect and may constrain passenger queuing and flows in different types of rail transit stations; 2) Identify, compare, and evaluate practices for efficient, expedient, and safe passenger flows in different types of station environments and during typical (rush hour) and atypical (evacuations, station maintenance/ refurbishment) situations; and 3) Compile short-, medium-, and long-term recommendations for optimizing passenger flows in different station environments