A Graphical Adversarial Risk Analysis Model for Oil and Gas Drilling Cybersecurity

Oil and gas drilling is based, increasingly, on operational technology, whose cybersecurity is complicated by several challenges. We propose a graphical model for cybersecurity risk assessment based on Adversarial Risk Analysis to face those challenges. We also provide an example of the model in the context of an offshore drilling rig. The proposed model provides a more formal and comprehensive analysis of risks, still using the standard business language based on decisions, risks, and value.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

A Survey of Interdependent Information Security Games

Risks faced by information system operators and users are not only determined by their own security posture, but are also heavily affected by the security-related decisions of others. This interdependence between information system operators and users is a fundamental property that shapes the efficiency of security defense solutions. Game theory is the most appropriate method to model the strategic interactions between these participants. In this survey, we summarize game-theoretic interdependence models, characterize the emerging security inefficiencies, and present mechanisms to improve the security decisions of the participants. We focus our attention on games with interdependent defenders and do not discuss two-player attackerdefender games. Our goal is to distill the main insights from the state-of-the-art and to identify the areas that need more attention from the research community

ALIGNING SECURITY AND USABILITY OBJECTIVES FOR COMPUTER BASED INFORMATION SYSTEMS

With extensive use of information systems in day-to-day business operations, many organizations are facing challenges to develop robust computer-based information systems that are secure and widely used by the user community. In order to develop information systems that are secure and useful, understanding what stakeholders consider important and value about the security and usability is critical. Security refers to confidentiality, integrity and availability and usability refers to efficiency, effectiveness and user satisfaction. Using Value Focused Thinking approach, this research first proposes the usability objectives based on the values of system developers and users. Using the security objectives proposed by Dhillon & Torkzadeh (2006) and the usability objectives, this research proposes hierarchies with the overall/over-arching goals of security (confidentiality, integrity, availability) and/or usability (efficiency, effectiveness and satisfaction). This research also analyzes a case of computer hacking and identifies which of the security and usability objectives that have not been met in that case study. The research contributions which include the usability objectives and security and usability hierarchies can be useful for theoretical as well as practical purposes

Optimising information security decision making

The aim of the thesis is to investigate the relationship between human behaviour and effective security in order to develop tools and methods for supporting decision makers in the field of information security. A review of the literature of information security, Human Computer Interaction (HCI), and the economics of security reveals that role of users in delivering effective security has largely been neglected. Security designers working without an understanding of the limitations of human cognition implement systems that, by their nature, offer perverse incentives to the user. The result is the adoption of insecure behaviour by the users in order to cope with the burdens placed upon them. Despite HCI identifying the need for increased usability in security, much of the research in the field of HCI Security (HCISec) still focuses on improving the usability of the interface to security systems, rather than the underlying system itself. In addition, while the impact of user non-compliance on the effectiveness of security has been demonstrated, most security design methods still rely on technical measures and controls to achieve their security aims. In recent years the need to incorporate human factors into security decision making has been recognised but this process is not supported by appropriate tools or methodologies. The traditional CIA framework used to express security goals lacks the flexibility and granularity to support the analysis of the trade-offs that are taking place. The research gap is therefore not so much one of knowledge (for much of the required information does exist in the fields of security and HCI) but rather how to combine this knowledge to form an effective decision making framework. This gap is addressed by combining the fields of security and HCI with economics in order to provide a utility-based approach that allows the effective balancing and management of human factors alongside more technical measures and controls. The need to consider human effort as a limited resource is shown by highlighting the negative consequences of neglecting this axis of resource measurement. This need is expressed through the Compliance Budget model which treats users as perceptive actors conducting a cost/benefit analysis when faced with compliance decisions. Through the use of the qualitative data analysis methodology Grounded Theory, a set of semi-structured interviews were analysed to provide the basis for this model. Passwords form a running example throughout the thesis. The need to provide decision makers with empirical data grounded in the real world is recognised and addressed through a combination of data gathering techniques. A laboratory study and a field trial were conducted to gather performance data with two password policies. In order to make optimal use of this data, a unified approach to decision making is necessary. Alongside this, the usefulness of systems models as tools for simulation and analysis is recognised. An economically motivated framework is therefore presented that organises and expresses security goals with the methods required to fulfil them. The role of the user is fully represented in this framework which is structured in such a way as to allow a smooth transition from data gathering to systems modelling. This unified approach to optimising security decision making provides key insights into the requirements for making more effective real-world decisions in the field of information security and is a useful foundation for improving current practices in this area