Modelling Socio-Technical Aspects of Organisational Security

Identification of threats to organisations and risk assessment often take into consideration the pure technical aspects, overlooking the vulnerabilities originating from attacks on a social level, for example social engineering, and abstracting away the physical infrastructure. However, attacks on organisations are far from being purely technical. After all, organisations consist of employees. Often the human factor appears to be the weakest point in the security of organisations. It may be easier to break through a system using a social engineering attack rather than a pure technological one. The StuxNet attack is only one of the many examples showing that vulnerabilities of organisations are increasingly exploited on different levels including the human factor. There is an urgent need for integration between the technical and social aspects of systems in assessing their security. Such an integration would close this gap, however, it would also result in complicating the formal treatment and automatic identification of attacks. This dissertation shows that applying a system modelling approach to sociotechnical systems can be used for identifying attacks on organisations, which exploit various levels of the vulnerabilities of the systems. In support of this claim we present a modelling framework, which combines many features. Based on a graph, the framework presents the physical infrastructure of an organisation, where actors and data are modelled as nodes in this graph. Based on the semantics of the underlying process calculus, we develop a formal analytical approach that generates attack trees from the model. The overall goal of the framework is to predict, prioritise and minimise the vulnerabilities in organisations by prohibiting the overall attack or at least increasing the difficulty and cost of fulfilling it. We validate our approach using scenarios from IPTV and Cloud Infrastructure case studies

Modelling Security Requirements Through Extending Scrum Agile Development Framework

Security is today considered as a basic foundation in software development and therefore, the modelling and implementation of security requirements is an essential part of the production of secure software systems. Information technology organisations are moving towards agile development methods in order to satisfy customers' changing requirements in light of accelerated evolution and time restrictions with their competitors in software production. Security engineering is considered difficult in these incremental and iterative methods due to the frequency of change, integration and refactoring. The objective of this work is to identify and implement practices to extend and improve agile methods to better address challenges presented by security requirements consideration and management. A major practices is security requirements capture mechanisms such as UMLsec for agile development processes. This thesis proposes an extension to the popular Scrum framework by adopting UMLsec security requirements modelling techniques with the introduction of a Security Owner role in the Scrum framework to facilitate such modelling and security requirements considerations generally. The methodology involved experimentation of the inclusion of UMLsec and the Security Owner role to determine their impact on security considerations in the software development process. The results showed that overall security requirements consideration improved and that there was a need for an additional role that has the skills and knowledge to facilitate and realise the benefits of the addition of UMLsec

Business Case Analysis for Social and Environmental Initiatives: The Case of the Milton Keynes Electric Light Vehicle Infrastructure Project

Concerns about climate change, energy security and advances in battery technology have stimulated a renewed interest in electric vehicles. The uptake of electric vehicles can encourage and facilitate the shift from fossil fuels to a low-carbon transport system. The Milton Keynes Electric Light Vehicle Infrastructure (ELVIS) project promotes widespread use of battery-powered cars. The organisations examined in this study use conventional accounting-based tools that Gray (2006) views as maximising capitalism to the exclusion of almost anything else that might be termed wonderful, aspirational or desirable to the human condition. Bebbington et al. (2007) indicate that sustainability assessment modelling is a superior technique for assessing sustainable development initiatives such as an engagement with electric vehicles. The model proposed by Bebbington et al. (2007) takes into consideration social, environmental and other externalities that conventional accounting does not account for. Using the lens of Dillard et al. (2004,) this study examined participating organisations in the Milton Keynes electric vehicle project and found out that these organisations are not applying sustainability assessment modelling to their engagement with electric vehicles or other such initiatives. The organisations seem to be either just paying lip service to the issue of sustainability, or they are in a transitional stage of their sustainability effort, or don’t see the need for appropriate social accounting technologies such as sustainability assessment modelling

Co-design and modelling of security policy for cultural and behavioural aspects of security in organisations

Organisations have historically applied a technology-oriented approach to information security. However, organisations are increasingly acknowledging the importance of human factors in managing secure workplaces. Having an effective security culture is seen as preferable to enforced compliance with policy. Yet, the study of security culture has not been addressed consistently, either in terms of its conceptual meaning or its practical implementation. Consequently, practitioners lack guidance on cultural elements of security provisioning and on engaging employees in identifying security solutions. To address existing problems relating to security policy in respect of organisational culture, this thesis explores behavioural and cultural aspects of organisational security. We address gaps in human-centred research, focusing on the lack of work representing real-world environments and insufficient collaboration between researchers and practitioners in the study of security culture. We address these gaps through analytical work, a novel co-design methodology, and two user studies. We demonstrate that current approaches to security interventions mirror rational-agent economics, even where behavioural economics is embodied in promoting security behaviours. We present two case studies exploring the dynamics between security provisioning and organisational culture in real-world environments, focusing on distinct groups of users — employees, security managers, and IT/security support — whose interactions are understudied. Our co-design methodology surfaces the complex, interconnected nature of supporting workable security practices by engaging modellers and stakeholders in a collaborative process producing mutually understood and beneficial models. We find employees prefer local support and assurances of secure behaviour rather than guidance without local context. Trust-based relationships with support teams improve engagement. Policy is perceived through interactions with support staff and by observing everyday workplace security behaviours. We find value in engaging with decision-makers and understanding their decision-making processes. We encourage researchers and practitioners to engage in a co-design process producing multi-stakeholder views of the complexities of security in organisations

A model to address factors that could influence the information security behaviour of computing graduates

The fact that information is ubiquitous throughout most modern organisations cannot be denied. Information is not merely used as an enabler in modern organisations today, but is also used to gain a competitive advantage over competitors. Thus, information has become one of the most important business assets. It is, therefore, imperative that organisations protect information assets as they would protect other business assets. This is typically achieved through implementing various security measures.Technological and procedural security measures are largely dependent on humans. However, the incorrect behaviour of humans poses a significant threat to the protection of these information assets. Thus, it is vital to understand how human behaviour may impact the protection of information assets. While the focus of much literature is on organisations, the focus of this research is on higher education institutions and the factors of information security, with a specific focus on influencing the information security behaviour of computing graduates. Typically, computing graduates would be employed in organisations in various careers such as software developers, network administrators, database administrators and information systems analysts. Employment in these careers means that they would be closely interacting with information assets and information systems. A real problem, as identified by this research, is that currently, many higher education institutions are not consciously doing enough to positively influence the information security behaviour of their computing graduates. This research presents a model to address various factors that could influence the information security behaviour of computing graduates. The aim of this model is to assist computing educators in influencing computing graduates to adopt more secure behaviour, such as security assurance behaviour. A literature review was conducted to identify the research problem. A number of theories such as the Theory of Planned Behaviour, Protection Motivation Theory and Social Cognitive Theory were identified as being relevant for this research as they provided a theoretical foundation for factors that could influence the information security behaviour of computing graduates. Additionally, a survey was conducted to gather the opinions and perceptions of computing educators relating to information security education in higher education institutions. Results indicated that information security is not pervasively integrated within the higher education institutions surveyed. Furthermore, results revealed that most computing students were perceived to not be behaving in a secure manner with regard to information security. This could negatively influence their information security behaviour as computing graduates employed within organisations. Computing educators therefore require assistance in influencing the information security behaviour of these computing students. The proposed model to provide this assistance was developed through argumentation and modelling

A model to address factors that could influence the information security behaviour of computing graduates

The fact that information is ubiquitous throughout most modern organisations cannot be denied. Information is not merely used as an enabler in modern organisations today, but is also used to gain a competitive advantage over competitors. Thus, information has become one of the most important business assets. It is, therefore, imperative that organisations protect information assets as they would protect other business assets. This is typically achieved through implementing various security measures.Technological and procedural security measures are largely dependent on humans. However, the incorrect behaviour of humans poses a significant threat to the protection of these information assets. Thus, it is vital to understand how human behaviour may impact the protection of information assets. While the focus of much literature is on organisations, the focus of this research is on higher education institutions and the factors of information security, with a specific focus on influencing the information security behaviour of computing graduates. Typically, computing graduates would be employed in organisations in various careers such as software developers, network administrators, database administrators and information systems analysts. Employment in these careers means that they would be closely interacting with information assets and information systems. A real problem, as identified by this research, is that currently, many higher education institutions are not consciously doing enough to positively influence the information security behaviour of their computing graduates. This research presents a model to address various factors that could influence the information security behaviour of computing graduates. The aim of this model is to assist computing educators in influencing computing graduates to adopt more secure behaviour, such as security assurance behaviour. A literature review was conducted to identify the research problem. A number of theories such as the Theory of Planned Behaviour, Protection Motivation Theory and Social Cognitive Theory were identified as being relevant for this research as they provided a theoretical foundation for factors that could influence the information security behaviour of computing graduates. Additionally, a survey was conducted to gather the opinions and perceptions of computing educators relating to information security education in higher education institutions. Results indicated that information security is not pervasively integrated within the higher education institutions surveyed. Furthermore, results revealed that most computing students were perceived to not be behaving in a secure manner with regard to information security. This could negatively influence their information security behaviour as computing graduates employed within organisations. Computing educators therefore require assistance in influencing the information security behaviour of these computing students. The proposed model to provide this assistance was developed through argumentation and modelling

Towards business integration as a service 2.0 (BIaaS 2.0)

Cloud Computing Business Framework (CCBF) is a framework for designing and implementation of Could Computing solutions. This proposal focuses on how CCBF can help to address linkage in Cloud Computing implementations. This leads to the development of Business Integration as a Service 1.0 (BIaaS 1.0) allowing different services, roles and functionalities to work together in a linkage-oriented framework where the outcome of one service can be input to another, without the need to translate between domains or languages. BIaaS 2.0 aims to allow automation, enhanced security, advanced risk modelling and improved collaboration between processes in BIaaS 1.0. The benefits from adopting BIaaS 1.0 and developing BIaaS 2.0 are illustrated using a case study from the University of Southampton and several collaborators including IBM US. BIaaS 2.0 can work with mainstream technologies such as scientific workflows, and the proposal and demonstration of BIaaS 2.0 will be aimed to certainly benefit industry and academia. © 2011 IEEE

Towards Business Integration as a Service 2.0

Cloud Computing Business Framework (CCBF) is a framework for designing and implementation of Could Computing solutions. This proposal focuses on how CCBF can help to address linkage in Cloud Computing implementations. This leads to the development of Business Integration as a Service 1.0 (BIaS 1.0) allowing different services, roles and functionalities to work together in a linkage-oriented framework where the outcome of one service can be input to another, without the need to translate between domains or languages. BIaS 2.0 aims to allow full automation, enhanced security, advanced risk modelling and improved collaboration between processes in BIaaS 1.0. The benefits from adopting BIaS 1.0 and developing BIaS 2.0 are illustrated using a case study from the University of Southampton and several collaborators including IBM US. BIaS 2.0 can work with mainstream technologies such as scientific workflows, and the proposal and demonstration of BIaaS 2.0 will certainly benefit industry and academia

Australian commercial-critical infrastructure management protection

Secure management of Australia\u27s commercial critical infrastructure presents ongoing challenges to owners and the government. Although managed via a high-level information sharing collaboration of government and business, critical infrastructure protection is further complicated by the lack of a lower-level scalable model exhibiting its various levels, sectors and sub-sectors. This research builds on the work of Marasea (2003) to establish a descriptive critical infrastructure model and also considers the influence and proposed modelling of critical infrastructure dependency inter-relationships.<br /

Studying SCADA Organisations Information Security Goals: An Integrated System Theory Approach

Security awareness and its implementation within an organisation is crucial for preventing deliberate attacks or/and minimise system failures on organisation’s system especially where critical infrastructure is involved including energy, water, gas and etc. This study is based on Integrated System Theory (IST) and focuses on measuring and assessing security goals including policies, risk management, internal control and contingency management implemented in 101 organisations that operate Supervisory Control and Data Acquisition (SCADA) Systems. The data collected were analysed using structural equation modelling to test the structural and measurement model. The major finding of this study is that organisational information security goals are strongly related to the key measurement indicators, which include items assessing security policies, risk management, internal controls and contingency management