Modern organisations are complex, socio-technical systems consisting of a mixture of physical infrastructure, human actors, policies and processes. An increasing number of attacks on these organisations exploits vulnerabilities on all different levels, for example combining a malware attack with social engineering. Due to this combination of attack steps on technical and social levels, risk assessment in socio-technical systems is complex. Therefore, established risk assessment methods often abstract away the internal structure of an organisation and ignore human factors when modelling and assessing attacks. In our work we model all relevant levels of socio-technical systems, and propose evaluation techniques for analysing the security properties of the model. Our approach simplifies the identification of possible attacks and provides qualified assessment and ranking of attacks based on the expected impact

Aslanyan, Zaruhi

Ivanova, Marieta G.

Nielson, Flemming

Probst, Christian W.

NARCIS 

Modeling and Analysing Socio-Technical Systems

University of Twente Research Information

Modelling and AnalysingSocio-Technical SystemsZaruhi Aslanyan, Marieta G. Ivanova,Flemming Nielson and Christian W. ProbstDTU Compute, Technical University of Denmark, Denmark{zaas,mgiv,fnie,cwpr}@dtu.dkModern organisations are complex, socio-technical systems consisting of amixture of physical infrastructure, human actors, policies and processes. An in-creasing number of attacks on these organisations exploits vulnerabilities on alldifferent levels, for example combining a malware attack with social engineer-ing. Due to this combination of attack steps on technical and social levels, riskassessment in socio-technical systems is complex. Therefore, established risk as-sessment methods often abstract away the internal structure of an organisationand ignore human factors when modelling and assessing attacks. In our workwe model all relevant levels of socio-technical systems, and propose evaluationtechniques for analysing the security properties of the model. Our approach sim-plifies the identification of possible attacks and provides qualified assessment andranking of attacks based on the expected impact.We demonstrate our approach on a home-payment system. The system isspecifically designed to help elderly or disabled people, who may have difficul-ties leaving their home, to pay for some services, e.g., care-taking or rent. Thepayment is performed using the remote control of a television box with a con-tactless payment card (see Figure 1). When a transfer is initiated, a password isneeded in order to authenticate the owner of the card.Fig. 1. System overview.ModelOur model is based on work by Probst et al. [1] and Dimkov et al. [2]. To facilitateformal methods, the model represents the infrastructure of organisations - theProceedings of STPIS'15©Copyright held by the author(s) 121physical as well as the digital world - as nodes in a directed graph. In this directedgraph nodes that are physically or virtually connected are linked by directededges. The nodes represent different elements in the modelled organisation suchas locations, assets, and actors. Nodes may belong to different domains. Domainsare used to restrict operations being allowed on the nodes. For example, humanactors are only allowed to move within the nodes from the physical domain. Somenodes are associated with policies, which are used for regulating the access tolocations and assets, but also for defining actors’ expected behaviour in theorganisation. Policies consist of two parts - required credentials and enabledactions. The actor needs to fulfill the required credentials in order to be permittedto perform the enabled actions on the respective node.The example scenario, also shown in Figure 2, represents an actor Alice,who receives a care-taking service provided by an actor Charlie. The companyCharlie works for has a policy that forbids the employees to take money fromthe customers. The locations modelled in this scenario are Alice’s home, a bankwith an ATM, and a bank computer. Alice’s payment card, the pin it contains,and the pin Alice knows for her card are modeled as assets. An example for anode associated with a policy is the bank computer, where the policy requires abank account and a matching password.In order to identify the possible attacks based on the model, our approachdoes not analyse only the technical infrastructure but also takes into consider-ation the human factor. Social attacks, e.g., social engineering, are an essentialcomponent as attack threats could be easily underseen when only technical at-tacks are considered. The human factor modelling in technical systems is alsoformally presented using Isabelle theorem prover [3].AnalysisOur analysis is carried out on attack trees, a suitable tool for presenting socio-technical threats and conveying security information to non-experts. Attacktrees, introduced by Schneier [4], are a widely used graphical tool for represent-ing attack scenarios. They are used to evaluate the security of complex systemsin a structured, hierarchical way. The root of a tree represents the main goalof the attacker, while the leaves are the attacker’s basic actions. Internal nodesillustrate how the basic actions have to be combined in order to achieve theoverall goal. Standard attack trees combine basic actions either conjunctively,meaning that all actions should be satisfied in order the tree to be satisfied, ordisjunctively, meaning that at least one action should be satisfied in order thetree to be satisfied.Attack trees are analysed by assigning values to the basic actions and prop-agating them from the leaves to the root of the tree. Most attack tree analysesconsider attack trees with one parameter and optimise one particular aspect ofa scenario, such as likelihood of success or difficulty of a hack, in terms of timeor cost of an attack. Moreover, in most attack tree models with multiple param-eters values are propagating from the leaves to the root based on local decisionstrategies, i.e., in each step of the evaluation optimisation is made with respectSocio-Technical Perspective in IS DevelopmentEdited by S. Kowalski, P. Bednar and I. Bider 122processes network actorsworldPcBankCityDoortrustedby(Alice): moveHomeComputer CWS: outaccountnumber,34567pwd,313cash,100C: out(“transfer”, number, pwd, amount)C: out(“deposit”, number, amount)Charliecardpin, 96pin, 96owner, CharlieAlicepin,42pwd,313cardpin, 42owner, AlicePaccountATM A1safecash,1000card[(pin,X)],(pin,X) : inPwsWorkstation WSAlice: outharddrivepwd, 313Fig. 2. Graphical representation of the example system. The white rectangles representlocations or items, the gray rectangles represent processes and actors; actors containthe items or data owned by the actor. The round nodes represent data. Solid linesrepresent the physical connections between locations, and dotted lines represent thepresent location of actors and processes. The dashed rectangles in the upper right partof some nodes represent the policies assigned to these nodes.to one parameter. In case of incomparable values, however, this approach mayyield sup-optimal results.In order to overcome this limitation and evaluate complex attack scenarios,we present evaluation techniques that consider attack trees where basic actionsare assigned with more than one parameter, such as, likelihood of success andcost. Our evaluation techniques try to optimise all parameters at once. How-ever, optimisation of multiple parameters might lead to incomparable values,e.g., maximising likelihood while minimising cost. Even worse, a best solutiondoes not always exist. We handle this issue by computing the set of optimalsolutions [5], defined in terms of Pareto efficiency. A solution is called Paretoefficient if it is not dominated by any other solution [6].EvaluationWe illustrate the evaluation techniques on the attack scenario where an attackerwants to steal money from the card-holder by forcing him/her to pay fake ser-vices. Our evaluation techniques answer the questions, such as “Can an attackersuccessfully steal money from the card-holder?” or “What is the maximum like-lihood of success of an attack?”. Moreover, we associate with each basic action aProceedings of STPIS'15©Copyright held by the author(s) 123cost of an attack, and detected the attacks with maximum likelihood and min-imum cost. We compute the set of all Pareto optimal solutions, displayed inFigure 3, where each point shows a likelihood of success with the correspondingcost.!"#!!"$!!"%!!"&!!"'!!"(!!"!)!!" !)!'" !)#!" !)#'" !)$!" !)$'" !)%!" !)%'" !)&!"!"#$%&'"()(*+*$,%Fig. 3. Pareto optimal solutions.As future work, we plan to introduce countermeasures to the model. Besidesthe identification of possible socio-technical threats, we would like to determinethe corresponding defender actions and evaluate attack and defence scenarios.Acknowledgment: Part of the research leading to these results has receivedfunding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TRESPASS). This publication reflectsonly the authors’ views and the Union is not liable for any use that may be madeof the information contained herein.References1. Probst, C.W., Hansen, R.R.: An extensible analysable system model. InformationSecurity Technical Report 13(4) (November 2008) 235–2462. Dimkov, T., Pieters, W., Hartel, P.: Portunes: representing attack scenarios span-ning through the physical, digital and social domain. In: Proceedings of the 2010joint conference on Automated reasoning for security protocol analysis and issuesin the theory of security, Springer (2010) 112–1293. Boender, J., Ivanova, M.G., Kammüller, F., Primiero, G.: Modeling human be-haviour with higher order logic: Insider threats. In: STAST’14, IEEE (2014) co-located with CSF’14 in the Vienna Summer of Logic.4. Schneier, B.: Attack Trees: Modeling Security Threats. Dr. Dobb’s Journal ofSoftware Tools 24(12) (1999) 21–295. Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In:Principles of Security and Trust - 4th International Conference, POST. (2015) 95–1146. Legriel, J., Guernic, C.L., Cotton, S., Maler, O.: Approximating the pareto front ofmulti-criteria optimization problems. In: TACAS. (2010) 69–83Socio-Technical Perspective in IS DevelopmentEdited by S. Kowalski, P. Bednar and I. Bider 124

English

https://ris.utwente.nl/ws/files/5344416/paper11.pdf

Modeling and Analysing Socio-Technical Systems

Abstract

Similar works

Full text

Available Versions

NARCIS

University of Twente Research Information