RADAR: A Lightweight Tool for Requirements and Architecture Decision Analysis

Uncertainty and conflicting stakeholders' objectives make many requirements and architecture decisions particularly hard. Quantitative probabilistic models allow software architects to analyse such decisions using stochastic simulation and multi-objective optimisation, but the difficulty of elaborating the models is an obstacle to the wider adoption of such techniques. To reduce this obstacle, this paper presents a novel modelling language and analysis tool, called RADAR, intended to facilitate requirements and architecture decision analysis. The language has relations to quantitative AND/OR goal models used in requirements engineering and to feature models used in software product lines. However, it simplifies such models to a minimum set of language constructs essential for decision analysis. The paper presents RADAR's modelling language, automated support for decision analysis, and evaluates its application to four real-world examples

Improving Security Policy Decisions with Models

Security managers face the challenge of designing security policies that deliver the objectives required by their organizations. We explain how a rigorous methodology, grounded in mathematical systems modelling and the economics of decision-making, can be used to explore the operational consequences of their design choices and help security managers to make better decisions. The methodology is based on constructing executable system models that illustrate the effects of different policy choices. Models are designed to be composed, allowing complex systems to be expressed as combinations of smaller, complete models. They capture the logical and physical structure of systems, the choices and behavior of agents within the system, and the security managers' preferences about outcomes. Models are parameterized from observations of the real world and the effectiveness of different security policies is explored through simulation. Utility theory is used to describe the extent to which security managers' policies deliver their security objectives.Improving Security Policy Decisions with Model

A calculus and logic of bunched resources and processes

Mathematical modelling and simulation modelling are fundamental tools of engineering, science, and social sciences such as economics, and provide decision-support tools in management. Mathematical models are essentially deployed at all scales, all levels of complexity, and all levels of abstraction. Models are often required to be executable, as a simulation, on a computer. We present some contributions to the process-theoretic and logical foundations of discrete-event modelling with resources and processes. Building on previous work in resource semantics, process calculus, and modal logic, we describe a process calculus with an explicit representation of resources in which processes and resources co-evolve. The calculus is closely connected to a substructural modal logic that may be used as a specification language for properties of models. In contrast to earlier work, we formulate the resource semantics, and its relationship with process calculus, in such a way that we obtain soundness and completeness of bisimulation with respect to logical equivalence for the naturally full range of logical connectives and modalities. We give a range of examples of the use of the process combinators and logical structure to describe system structure and behaviour

Integrating Systems and Economic Models for Security Investments in the Presence of Dynamic Stochastic Shocks

Organizations deploy a number of security measures with differing intensities to protect their company’s information assets. These assets are found in various location within a company, with differing levels of security applied to them. Such measures protect the different aspects of the organization’s information systems, which are typically separated into three different attributes; confidentiality, integrity, and availability. We start by defining a system in terms of its locations, resources and processes to use as an underlying framework for our security model. We then systematically define the time evolution of all the three attributes when subjected to shocks aiming at degrading the system’s capacity. We shock each of the attributes of the system and trace the adjustment of the attributes and policy responses; we undertake this exercise for different types of organizations: a military weapons system operator, a financial firm or bank, a retail organization, and a medical research organization, producing their impulse-response functions to quantify their responses and speed of adjustment. This economic model is validated through various means, including Monte Carlo simulations. We find that organizations, although they react in similar ways to shocks to their attributes over time, and are able quickly to get back to their pre-shock states over time, differ in the intensity of their policy responses which differ depending upon the character of the organization

A substructural modal logic of utility

We introduce a substructural modal logic of utility that can be used to reason aboutoptimality with respect to properties of states. Our notion of state is quite general, and is able to represent resource allocation problems in distributed systems. The underlying logic is a variant of the modal logic of bunched implications, and based on resource semantics, which is closely related to concurrent separation logic. We consider a labelled transition semantics and establish conditions under which Hennessy—Milner soundness and completeness hold. By considering notions of cost, strategy and utility, we are able to formulate characterizations of Pareto optimality, best responses, and Nash equilibrium within resource semantics. We also show that our logic is able to serve as a logic for a fully featured process algebra and explain the interaction between utility and the structure of processes

Resource semantics: logic as a modelling technology

The Logic of Bunched Implications (BI) was introduced by O'Hearn and Pym. The original presentation of BI emphasised its role as a system for formal logic (broadly in the tradition of relevant logic) that has some interesting properties, combining a clean proof theory, including a categorical interpretation, with a simple truth-functional semantics. BI quickly found significant applications in program verification and program analysis, chiefly through a specific theory of BI that is commonly known as 'Separation Logic'. We survey the state of work in bunched logics - which, by now, is a quite large family of systems, including modal and epistemic logics and logics for layered graphs - in such a way as to organize the ideas into a coherent (semantic) picture with a strong interpretation in terms of resources. One such picture can be seen as deriving from an interpretation of BI's semantics in terms of resources, and this view provides a basis for a systematic interpretation of the family of bunched logics, including modal, epistemic, layered graph, and process-theoretic variants, in terms of resources. We explain the basic ideas of resource semantics, including comparisons with Linear Logic and ideas from economics and physics. We include discussions of BI's λ-calculus, of Separation Logic, and of an approach to distributed systems modelling based on resource semantics

Co-design and modelling of security policy for cultural and behavioural aspects of security in organisations

Organisations have historically applied a technology-oriented approach to information security. However, organisations are increasingly acknowledging the importance of human factors in managing secure workplaces. Having an effective security culture is seen as preferable to enforced compliance with policy. Yet, the study of security culture has not been addressed consistently, either in terms of its conceptual meaning or its practical implementation. Consequently, practitioners lack guidance on cultural elements of security provisioning and on engaging employees in identifying security solutions. To address existing problems relating to security policy in respect of organisational culture, this thesis explores behavioural and cultural aspects of organisational security. We address gaps in human-centred research, focusing on the lack of work representing real-world environments and insufficient collaboration between researchers and practitioners in the study of security culture. We address these gaps through analytical work, a novel co-design methodology, and two user studies. We demonstrate that current approaches to security interventions mirror rational-agent economics, even where behavioural economics is embodied in promoting security behaviours. We present two case studies exploring the dynamics between security provisioning and organisational culture in real-world environments, focusing on distinct groups of users — employees, security managers, and IT/security support — whose interactions are understudied. Our co-design methodology surfaces the complex, interconnected nature of supporting workable security practices by engaging modellers and stakeholders in a collaborative process producing mutually understood and beneficial models. We find employees prefer local support and assurances of secure behaviour rather than guidance without local context. Trust-based relationships with support teams improve engagement. Policy is perceived through interactions with support staff and by observing everyday workplace security behaviours. We find value in engaging with decision-makers and understanding their decision-making processes. We encourage researchers and practitioners to engage in a co-design process producing multi-stakeholder views of the complexities of security in organisations

Modelling and Analysing Software Requirements and Architecture Decisions under Uncertainty

Early requirements engineering and software architectural decisions are critical to the success of software development projects. However, such decisions are confronted with complexities resulting from uncertainty about the possible impacts of decision choices on objectives; conflicting stakeholder objectives; and a huge space of alternative designs. Quantitative decision modelling is a promising approach to tackling the increasing complexity of requirements and architectural decisions. It allows one to use quantitative techniques, such as stochastic simulation and multi-objective optimisation, to model and analyse the impact of alternative decisions on stakeholders' objectives. Existing requirements and architecture methods that use quantitative decision models are limited by the difficulty of elaborating quantitative decision models and/or lack of integrated tool support for automated decision analysis under uncertainty. This thesis addresses these problems by presenting a novel modelling language and automated decision analysis technique, implemented in a tool called RADAR, intended to facilitate requirements and architecture decisions under uncertainty. RADAR's modelling language has relations to quantitative AND/OR goal models used in requirements engineering and feature models used in software product lines. The language enables modelling requirements and architectural decision problems characterised by (i) single option selection similar to mutually exclusive option selection (XOR-nodes) of feature diagrams; (ii) multiple options selection similar to non-mutually exclusive options selections (OR-nodes) of feature diagrams; and (iii) constraints dependency relationships, e.g., excludes, requires and coupling, between options of decisions. RADAR's analysis technique uses multi-objective simulation optimisation technique in evaluating and shortlisting alternatives that produces the best trade-off between stakeholders' objectives. Additionally, the analysis technique employs information value analysis to estimate the financial value of reducing uncertainty before making a decision. We evaluate RADAR's applicability, usefulness and scalability on a set of real-world systems from different application domains and characterised by design space size between 6 and 2E50. Our evaluation results show that RADAR's modelling language and analysis technique is applicable on a range of real-world requirements and architecture decision problems, and that in few seconds, RADAR can analyse decision problems characterised by large design space using highly performant optimisation method through the use of evolutionary search-based optimisation algorithms

Human decision-making in computer security incident response

Background: Cybersecurity has risen to international importance. Almost every organization will fall victim to a successful cyberattack. Yet, guidance for computer security incident response analysts is inadequate. Research Questions: What heuristics should an incident analyst use to construct general knowledge and analyse attacks? Can we construct formal tools to enable automated decision support for the analyst with such heuristics and knowledge? Method: We take an interdisciplinary approach. To answer the first question, we use the research tradition of philosophy of science, specifically the study of mechanisms. To answer the question on formal tools, we use the research tradition of program verification and logic, specifically Separation Logic. Results: We identify several heuristics from biological sciences that cybersecurity researchers have re-invented to varying degrees. We consolidate the new mechanisms literature to yield heuristics related to the fact that knowledge is of clusters of multi-field mechanism schema on four dimensions. General knowledge structures such as the intrusion kill chain provide context and provide hypotheses for filling in details. The philosophical analysis answers this research question, and also provides constraints on building the logic. Finally, we succeed in defining an incident analysis logic resembling Separation Logic and translating the kill chain into it as a proof of concept. Conclusion: These results benefits incident analysis, enabling it to expand from a tradecraft or art to also integrate science. Future research might realize our logic into automated decision-support. Additionally, we have opened the field of cybersecuity to collaboration with philosophers of science and logicians

Modelling and Simulating Systems Security Policy

Security managers face the challenge of designing security policies that deliver the objectives required by their organizations. We explain how a rigorous modelling framework and methodology—grounded in semantically justified mathematical systems modelling, the economics of decision-making, and simulation—can be used to explore the operational consequences of their design choices and help security managers to make better decisions. The methodology is based on constructing executable system models that illustrate the effects of different policy choices. Models are compositional, allowing complex systems to be expressed as combinations of smaller, complete models. They capture the logical and physical structure of systems, the choices and behaviour of agents within the system, and the security managers’ preferences about outcomes. Utility theory is used to describe the extent to which security managers’ policies deliver their security objectives. Models are parametrized based on data obtained from observations of real-world systems that correspond closely to the examples described