Security policy authors face a dilemma. On one hand, policies need to respond to a constantly evolving, well reported threat landscape, the consequences of which have heightened the security awareness of senior managers. On the other hand, the impact of policies extend beyond constraints on desktop computers and laptops; an overly constrained policy may compromise operations or stifle the freedom needed for staff to innovate. Because few people are fired for making a policy too secure, as long as usability continues to be treated as a trade-off quality together with functionality then policies will err on the side of constraint over freedom of action. Existing work argues that balanced security can be achieved using Requirements Engineering best practice. Such approaches, however, treat usability as another class of quality requirement, and prescribed techniques fail to elicit or analyse empirical data with the same richness as those used by usability professionals. There is, therefore, a need to incorporates techniques from HCI into the task of specifying security, but without compromising Requirements Engineering practice. Recent work demonstrated how user-centered design and security requirements engineering techniques can be aligned; this approach was validated using a general system design project, where ample time was available to collect empirical data and run participatory requirements and risk workshops. The question remains whether such an approach scales for eliciting policy requirements where time is an imperative rather than a luxury

Faily, Shamal

Fléchais, Ivan

English

Shamal Faily

Ivan Flechais

Oxford University Research Archive (ORA)

Security through Usability: a user−centered approach for balanced security policy requirements

Fl�chais, Ivan

Open Access Institutional Repository at Robert Gordon University

FAILY, S. and FLÉCHAIS, I. 2010. Security through usability: a user-centered approach for balanced security policy requirements. Presented at the 26th Annual computer security applications conference (ACSAC 2010), 6-10 December 2010, Austin, USA.     The extended abstract was originally hosted on ACSAC.org: https://www.acsac.org/2010/program/posters/faily.pdf The full poster was originally hosted by Oxford University: https://ora.ox.ac.uk/objects/uuid:09485ecb-aa2a-47ab-8c53-45b07a7ac105 This document was downloaded from https://openair.rgu.ac.uk Security through usability: a user-centered approach for balanced security policy requirements. FAILY, S. and FLÉCHAIS, I. 2010 1Security through Usability: a user-centeredapproach for balanced security policy requirementsShamal Faily, Ivan FléchaisOxford University Computing LaboratoryWolfson Building, Parks Road, Oxford OX1 3QD, UK{shamal.faily,ivan.flechais}@comlab.ox.ac.ukI. MOTIVATIONSecurity policy authors face a dilemma. On one hand, policies need to respond to a constantly evolving, well reported threatlandscape, the consequences of which have heightened the security awareness of senior managers. On the other hand, theimpact of policies extend beyond constraints on desktop computers and laptops; an overly constrained policy may compromiseoperations or stifle the freedom needed for staff to innovate. Because few people are fired for making a policy too secure, as longas usability continues to be treated as a trade-off quality together with functionality then policies will err on the side of constraintover freedom of action. Existing work [9] argues that balanced security can be achieved using Requirements Engineering bestpractice. Such approaches, however, treat usability as another class of quality requirement, and prescribed techniques fail toelicit or analyse empirical data with the same richness as those used by usability professionals. There is, therefore, a need toincorporates techniques from HCI into the task of specifying security, but without compromising Requirements Engineeringpractice. Recent work demonstrated how user-centered design and security requirements engineering techniques can be aligned[5], [6]; this approach was validated using a general system design project, where ample time was available to collect empiricaldata and run participatory requirements and risk workshops. The question remains whether such an approach scales for elicitingpolicy requirements where time is an imperative rather than a luxury.II. APPROACHWe have devised a user-centered process for eliciting security policy requirements. Like the process in [6], it begins byagreeing the system scope and key roles with project stakeholders. This stage is followed by fieldwork and usability analysis.During the fieldwork stage, empirical data is collected about how users carry out their day-to-day work. This data is analysedand modelled using a qualitative data analysis methodology [3] to discover important user characteristics. This data is fed intothe design of personas representing archetypical users [2], and task scenarios describing the activities they carry out.Rather than undertaking lengthy participatory requirements and risk analysis workshops, the subsequent analysis is carriedout exclusively by analysts in a number of stages. First, assets of value are modelled in UML based asset models. Second,the KAOS goal oriented requirements engineering methodology [4] is used to construct a goal tree of policy requirements.Leaf goals in these trees are assigned to specific roles. Goals may be obstructed using obstacles, which represent conditionsFig. 1. Policy development process overviewAgree Scope FieldworkUsabilityAnalysisRequirementsAnalysisVulnerabilityAnalysisThreat AnalysisRisk AnalysisExploit Virus infected workstationRickSTCS ApplicationICT PCICT ApplicationModify SCADA HMI softwareResolve reservoir alarm<< Unauthorised USB usage threatens >>BarrySCADA WorkstationLaptopModify PLC softwareBroken instrument alarm<< exploits Incompatible security controls >><< Virus infected workstation threatens & exploits >>Task Model**Asset ModelsGoal ModelsObstacle ModelsAttackerProfilesPersonas Responsibility ModelsPersonal securityProcess impactInsider knowledgeInfoSec indifference Work RoutineBusiness complianceSite knowledgeHardware theftSite threats=> [ ][ ]=>< >=>=>=>< >Conceptual ModelsRich PictureContext Diagram2preventing a goal from being achieved [8]. Although analysing goals may suggest possible vulnerabilities and threats, these areprimarily defined from the empirical data used to define personas and tasks; previous work [6] found that fieldwork data can alsobe used to glean information about possible threats and vulnerabilities. Associated with each threat are attacker profiles; theseare created using Open Source Intelligence, or published literature on related attacks. Where possible, policy requirementsfor mitigating these vulnerabilities and threats are elicited at this stage. The next stage involves specifying risks, where asingle unmitigated threat exploits a single unmitigated vulnerability. Associated with each risk is a Misuse Case describinga scenario where the attacker carries out the activities necessary to realise the risk. Data from all stages are entered into adedicated software tool [1], which structures the data, automatically visualises different models, and generates a DocBookpolicy requirements specification. This tool is described in more detail in [7].The final stage involves a participatory workshop, where Misuse Cases are discussed by project stakeholders. Using MisuseCases as boundary objects, this workshop aims to collectively elicit the remaining policy requirements mitigating these risks.Each Misuse Case is illustrated in a Task Model; this model contains the related attacker (or attackers), endangered assets,and personas and tasks related to these assets. Both the tasks and Misuse Cases are represented as coloured ellipses based ona quantitative usability and risk impact score generated by the software tool. When it has been agreed that a Misuse Case hasbeen mitigated, the next Misuse Case is discussed.III. PRELIMINARY RESULTS AND FUTURE WORKWe applied this approach to define the policy requirements for SCADA (Supervisory Control and Data Acquisition),Telemetry, and Control System software for plant operation staff at a UK water company. After agreeing the system scope androles, we visited 4 different water treatment plants and, after subsequent usability analysis, one persona and 4 task scenarioswere defined. During the initial requirements analysis, 102 policy goals were elicited, the leaf goals of which were assignedto 8 different roles. At an early stage, it was observed that IT support staff were responsible for a disproportionate number ofpolicy goals, as opposed to plant operation and security staff. Based on the empirical data, 8 vulnerabilities, 8 threats, and 4possible attackers were identified; 3 of these vulnerabilities were mitigated at an early stage. Eight risks were identified basedon specific combinations of unmitigated threats and vulnerabilities. A participatory workshop was held to review the MisuseCases associated with these risks; of these, two Misuse Cases were discussed in detail during the workshop. Based on thediscussions, several additional policy requirements were elicited, while others were de-scoped from the study.Preliminary results suggest that structuring risk analysis discussion around Misuse Case narratives helped ground thediscussion about risk impact in the real world. One of the Misuse Cases explored the impact of a virus infecting SCADAworkstations. Discussing the impact of policy decisions on the plant operator persona’s work simplified policy requirements;in this specific case, the system attack surface was reduced by removing system functionality unused by the persona. Ourresults also indicate that this process can be completed comparatively quickly. The fieldwork and usability analysis stage wascarried out in a little over a week, while the complete study took less than a month. Our results also re-affirm the usefulness ofuser-centered design techniques for providing supplemental data for security analysis. These techniques do, however, rely onthe ability to carry out ethnographic research and qualitative data analysis, the results from which must be interpreted beforepersonas and tasks can be built. We are currently exploring how argumentation structures can be used to build design rationalelinks between qualitative data and personas. This work potentially enables usability specialists to develop personas based onspecific characteristics, which can be tracked back to its originating data.IV. ACKNOWLEDGEMENTSThe research described in this paper was funded by EPSRC CASE Studentship R07437/CN001. We are very grateful toQinetiq Ltd for their sponsorship of this work.REFERENCES[1] CAIRIS web site. http://www.comlab.ox.ac.uk/cairis (September 2010)[2] Cooper, A.: The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity (2nd Edition). PearsonHigher Education (1999)[3] Corbin, J.M., Strauss, A.L.: Basics of qualitative research : techniques and procedures for developing grounded theory. Sage Publications, Inc., 3rd edn.(2008)[4] Dardenne, A., van Lamsweerde, A., Fickas, S.: Goal-directed requirements acquisition. Science of Computer Programming 20(1-2), 3 – 50 (1993),http://www.sciencedirect.com/science/article/B6V17-45FSTB2-10/2/605ddb5671131b8a28eb4d38d29cab5e[5] Faily, S., Fléchais, I.: A Meta-Model for Usable Secure Requirements Engineering. In: Software Engineering for Secure Systems, 2010. SESS ’10. ICSEWorkshop on. pp. 126–135. IEEE Computer Society Press (May 2010)[6] Faily, S., Fléchais, I.: Barry is not the weakest link: Eliciting Secure System Requirements with Personas. In: BCS HCI ’10: Proceedings of the 2010British Computer Society Conference on Human-Computer Interaction (2010)[7] Faily, S., Fléchais, I.: Towards tool-support for Usable Secure Requirements Engineering with CAIRIS. International Journal of Secure Software Engineering1(3), 56–70 (July-September 2010)[8] van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. Software Engineering, IEEE Transactions on 26(10),978–1005 (2000)[9] Mead, N.R., Hough, E.D., Stehney II, Theodore R.: Security Quality Requirements Engineering (SQUARE) Methodology. Tech. Rep. CMU/SEI-2005-TR-009, Carnegie Mellon Software Engineering Institute (2005)Security through Usability: a user-centered approach for balanced security policy requirementsShamal Faily and Ivan FléchaisComputing Laboratory, University of OxfordEmail: {shamal.faily, ivan.flechais}@comlab.ox.ac.uk The Problem Information Security policies need to respond to evolving threats without over-specifying security.There is a noticeable lack of support for writing security policies which balance security and usability.Make policy development user-centric by applying User-Centered Design [1,2].Augment User-Centered Design with complementary techniques & tools from Information Security and Requirements Engineering [3,4,5,6].The SolutionOur Approach1. Agree Scope  2. Fieldwork3. UsabilityAnalysis4. RequirementsAnalysis5. VulnerabilityAnalysis6. Threat Analysis7. Risk AnalysisAgree policy scope and affected users.Collect and analyse data about users' day-to-day work.Build personas representing archetypical users, and scenarios about their work.Model the policy as a goal tree. Elicit and refine models, and identify mitigating requirements.Elicit vulnerabilities from fieldwork data and revise models accordingly.Identify convincing attackers & threats from fieldwork data, and revise models accordingly.Model unmitigated risks using Misuse Cases, and agree policy resolutions.AcknowledgementsThis research was funded by the EPSRC CASE Studentship R07437/CN001.  We are also grateful to Qinetiq Ltd for their sponsorship of this work.References[2] Faily, S., and Fléchais, I. The secret lives of assumptions: Developing and refining assumption personas for secure system design. Proceedings of the 3rd Conference on Human-Centered Software Engineering (2010),111–118[3] Faily, S., and Fléchais, I. Towards tool-support for Usable Secure Requirements Engineering with CAIRIS. International Journal of Secure Software Engineering 1 (3), 2010, 56–70[4] CAIRIS web site.  http://www.comlab.ox.ac.uk/cairis[5] van Lamsweerde, A., Letier E., Handling Obstacles in Goal-Oriented Requirements Engineering. IEEE Transactions on Software Engineering 26 (10), 2000, 978-1005[6] Sindre, G., Opdahl L., Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10 (1), 2005, 34-44[1] Faily, S., and Fléchais, I. Barry is not the weakest link: Eliciting Secure System Requirements with Personas. Proceedings of the 24th British HCI Group Annual Conference on People and Computers, 2010, 113–1205. Based on the usability analysis data, 8 vulnerabilitieswere identified, 3 of which were mitigated at this stage.  Data contributing to ubiquitous identity vulnerability, and mitigating requirement.Exploit Virus infected workstationRickSTCS ApplicationICT PCICT ApplicationModify SCADA HMI softwareResolve reservoir alarm<< Unauthorised USB usage threatens >>BarrySCADA WorkstationLaptopModify PLC softwareBroken instrument alarm<< exploits Incompatible security controls >><< Virus infected workstation threatens & exploits >>7. Finally, the most topical risks were modelled as Misuse Cases, analysed, and mitigated in participatory design workshops.Task (left) and Risk Analysis (right) model of virus-infected workstation riskPreliminary Results Eliciting policy requirements for SCADA and Control Systems used by plant operations staff at a UK water company.Personal securityProcess impactInsider knowledgeInfoSec indifference Work RoutineBusiness complianceSite knowledgeHardware theftSite threats=> [ ][ ]=>< >=>=>=>< >2. We visited 4 different water treatment plants, interviewing plantoperators, and other staff.  A conceptual model of plant security wasdeveloped from a qualitative data analysis of the collected data.3. Using the results of the qualitative data analysis, a plantoperator persona (Rick), and several task scenarios wereelicited.Although information security doesn't phase Rick too much, personal security does.  Potentially facing off a scrap metal thiefis a big worry for Rick. "The police don't respond to intruder alarms at a nearbypumping station any more due to false alarms", says Rick."Because of this, we've been told not to go out to these placeson our own.   We have a lone-worker system when people call us when weget to a particular station, but what happens if we get problemson the way?"Motivation details about Rick, a plant operator persona.Asset ModelsGoal ModelsObstacle ModelsResponsibility Models4. Based on the collected data & documentation, 102 policy goals, 8 roles, and 18 assets.  Based on obstructing policy goals alone,several vulnerabilities and threats were identified and mitigated. 6. Collected and open-source data helped identify 4 convincing attackers, and 8 possible threats. Inside attacker (left), penetration tester (centre), and petty thief attacker profiles 1. The policy scope was agreed & modelledusing a Rich Picture Context Diagram.Item MeaningIs cause ofIs associated withContractsIs part of=>==< >[ ]

Security through usability: a user-centered approach for balanced security policy requirements.

https://rgu-repository.worktribe.com/preview/1545154/FAILY%202010%20Security%20through%20usability.pdf

Security through usability: a user-centered approach for balanced security policy requirements.

Abstract

Similar works

Full text

Available Versions

Oxford University Research Archive (ORA)

Open Access Institutional Repository at Robert Gordon University