Socio-technical security metrics – seminar summary

Safety metrics inform many decisions, from the height of new dikes to the design of nuclear plants. We can state, for example, that the dikes should be high enough to guarantee that a particular area will flood at most once every 1000 years. Even when considering the limitations of such numbers, they are useful in guiding policy.

Metrics for the security of information systems have not reached the same maturity level. This is partly due to the nature of security risk, in which an adaptive attacker rather than nature causes the threat events. Moreover, whereas the human factor may complicate safety and security procedures alike, in security this “weakest link” may be actively exploited by an attacker, such as in phishing or social engineering. In order to measure security, one therefore needs to compare online hacking against such social manipulations, since the attacker may simply take the easiest path. In addition, countermeasures may impact usability and productivity, and lead to workarounds rather than more secure systems. Therefore, defining information security metrics requires close cooperation between different fields of science and practice.

The Dagstuhl seminar on socio-technical security metrics brings together computer scientists, behavioural scientists, economists, risk managers and consultants, in search for suitable metrics that allow us to estimate information security risk in a socio-technical setting, as well as the costs and effectiveness of countermeasures. In particular, we study the risk metrics in the context of recent developments, where information systems move to the cloud and access moves to personal devices such as smartphones.

Activities in this seminar include:

·         Plenary sessions on defining the terminology / conceptual framework, and discussing suitable metrics;

·         Parallel (break-out) sessions on detailing the suggested metrics, including:

o    Vulnerability to multi-step attacks;

o    Attacker model parameters;

o    Leveraging existing data;

o    Effectiveness of countermeasures;

o    Total cost of ownership of countermeasures.

·         Case study sessions, in which the results are applied to the cloud/BYOD scenario, providing feedback to the metrics design sessions;

·         Plenary sessions on the application possibilities of the metrics in security investment, policy, and service selection, as well as limitations of the metrics;

·         Future work sessions on identifying promising directions and follow-up activities.

Outcomes aimed for in this seminar are:

·         A common conceptual framework for expressing the properties that are necessary to (a) obtain the right information about existing attacks, (b) use this information to predict possible future attacks, and assess their risks in monetary terms, and (c) provide decision support for implementing countermeasures based on such analysis;

·         Suitable metrics for:

o    Impact of socio-technical attacks;

o    Vulnerability to socio-technical attacks;

o    Attacker models for socio-technical attacks;

o    Costs of countermeasures, including impact on productivity.

·         A high-level procedure for implementing steps (a) – (c) above based on the proposed metrics;

·         Other application possibilities and limitations of the metrics.

Assessing socio-technical security is early research, likely to expand over the next years, which provides a unique opportunity for setting future trends in the context of this seminar. The seminar is expected to initiate new project proposals in this area, as well as joint publications. Follow-up activities will be identified during the seminar, and for each of the activities a leader will be assigned. The seminar organizers will monitor progress in the follow-up activities.