Discrete Choice, Social Interaction, and Policy in Encryption Technology Adoption

We introduce a model for examining the factors that lead to the adoption of new encryption technologies. Building on the work of Brock and Durlauf, the model describes how agents make choices, in the presence of social interaction, between competing technologies given their relative cost, functionality, and usability. We apply the model to examples about the adoption of encryption in communication (email and messaging) and storage technologies (self-encrypting drives) and also consider our model’s predictions for the evolution of technology adoption over time

Practicing a Science of Security: A Philosophy of Science Perspective

Our goal is to refocus the question about cybersecurity research from 'is this process scientific' to 'why is this scientific process producing unsatisfactory results'. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as Logical Empiricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathematical modeling methods, provides constructive resources to mitigate all purported challenges to a science of security. Therefore, we argue the community currently practices a science of cybersecurity. A philosophy of science perspective suggests the following form of practice: structured observation to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within their own expertise, inter-translating where necessary. A natural question to pursue in future work is how collecting, evaluating, and analyzing evidence for such explanations is different in security than other sciences

Found in Translation: Co-design for Security Modelling

Background. In increasingly complex and dynamic environments, it is difficult to predict potential outcomes of security policies. Therefore, security managers (or other stakeholders) are often challenged with designing and implementing security policies without knowing the consequences for the organization. Aim. Modelling, as a tool for thinking, can help identify those consequences in advance as a way of managing decision-making risks and uncertainties. Our co-design approach aims to tackle the challenges of problem definition, data availability, and data collection associated with modelling behavioural and cultural aspects of security. Method. Our process of modelling co-design is a proposed solution to these challenges, in particular for models aiming to incorporate organizational security culture. We present a case study of a long-term study at Company A, where using the methods of participatory action research, humble inquiry, and thematic analysis, largely shaped our understanding of co-design. We reflect on the methodological advantages of co-design, as well as shortcomings. Result. Our methodology engages modellers and system stakeholders through a four-stage co-design process consisting of (1) observation and candidate data availability, (2) candidate model design, (3) interpretation of model consequences, and (4) interpretation of domain consequences. Conclusion. We have proposed a new methodology by integrating the concept of co-design into the classical modelling cycle and providing a rigorous methodology for the construction of models that captures the system and its behaviours accurately. We have also demonstrated what an attempt at co-design looks like in the real-world, and reflected upon necessary improvements

Asset-Oriented Access Control: Towards a New IoT Framework

Controlling asset-access has traditionally been considered a matter for systems in which assets reside. Centralized approaches to access control are, however, problematic for the IoT. One reason for this is that devices may not be confined to a single system of control. In this abstract, we argue for a new paradigm in which assets are empowered to make their own access decisions. To facilitate this shift in perspective, we propose a policy-neutral framework based on principles adapted from object-oriented programming. This approach establishes assets as active, message-passing entities that store and determine their own access control. We describe initial work modelling the interaction of such assets and point to future formal work for reasoning about protocols and policy composition

Improving Security Policy Decisions with Models

Security managers face the challenge of designing security policies that deliver the objectives required by their organizations. We explain how a rigorous methodology, grounded in mathematical systems modelling and the economics of decision-making, can be used to explore the operational consequences of their design choices and help security managers to make better decisions. The methodology is based on constructing executable system models that illustrate the effects of different policy choices. Models are designed to be composed, allowing complex systems to be expressed as combinations of smaller, complete models. They capture the logical and physical structure of systems, the choices and behavior of agents within the system, and the security managers' preferences about outcomes. Models are parameterized from observations of the real world and the effectiveness of different security policies is explored through simulation. Utility theory is used to describe the extent to which security managers' policies deliver their security objectives.Improving Security Policy Decisions with Model

The U.S. Vulnerabilities Equities Process: An Economic Perspective

The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the vulnerability to be patched and systems to be made more secure, while retaining the vulnerability allows the government to conduct intelligence, offensive national security, and law enforcement activities. While redacted documents give some information about the organization of the VEP, very little is publicly known about the decision-making process itself, with most of the detail about the criteria used coming from a blog post by Michael Daniel, the former White House Cybersecurity Coordinator. Although the decision to disclose or retain a vulnerability is often considered a binary choice—to either disclose or retain—it should actually be seen as a decision about timing: to determine when to disclose. In this paper, we present a model that shows how the criteria could be combined to determine the optimal time for the government to disclose a vulnerability, with the aim of providing insight into how a more formal, repeatable decision-making process might be achieved. We look at how the recent case of the WannaCry malware, which made use of a leaked NSA zero day exploit, EternalBlue, can be interpreted using the model

Hooking up with friends: LGBTQ plus young people, dating apps, friendship and safety

© The Author(s) 2020. Research exploring digital intimate publics tends to consider social media platforms and dating/hook-up apps separately, implying distance between social and sexual communication practices. This paper troubles that delineation by drawing on LGBTQ+ young people’s accounts of negotiating safety and risk in dating/hook-up apps, in which friendship practices are significant. We explore four key themes of friendship that arose in our analysis of interviews and workshop discussions: sharing mutuals (or friends-in-common) with potential dates/hook-ups; making friends through apps; friends supporting app negotiations; and friends’ involvement in safety strategies. Through analysis of these data, we firstly argue that friendship is often both an outcome and an organising force of LGBTQ+ young people’s uses of dating/hook-up apps, and secondly, that media sites commonly defined as social (e.g. Instagram) or sexual (e.g. Tinder) are imbricated, with friendship contouring queer sex and dating practices

Interface sharpening in CoFeB magnetic tunnel junctions

We report grazing incidence x-ray scattering evidence for sharpening of the interface between amorphous Co60Fe20B20 and AlOx during in situ annealing below the Co60Fe20B20 crystallization temperature. Enhancement of the interference fringe amplitude in the specular scatter and the absence of changes in the diffuse scatter indicate that the sharpening is not a reduction in topological roughness but a reduction in the width of the chemical composition profile across the interface. The temperature at which the sharpening occurs corresponds to that at which a maximum is found in the tunneling magnetoresistance of magnetic tunnel junctions