Model-driven information security risk assessment of socio-technical systems
Dan Ionita is a PhD Student in the research group Services, Cybersecurity and Safety. His supervisor is Professor Roel Wieringa from the Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS)
This dissertation explores the role of conceptual models in assessing the risks pertaining to the development and operation of socio-technical systems. Specifically, it introduces a variety of risk assessment techniques built around different types of conceptual models not traditionally used in risk management. They range from coordination process models to argumentation models and from tangible models to value models. The dissertation does not, however, aim at to produce an exhaustive list. Instead, it is meant to shed light on how existing conceptual modelling paradigms can support the risk assessment processes, as well as discuss the applicability of different modelling approaches to the identification or analysis of different kinds of risks.
I start by introducing a distinction between models serving as input to a risk assessment and models which are produced as a result of a risk assessment. I give examples of ontologies from the fields of enterprise modelling and argumentation which have the potential to empower analysts to better understand the system being assessed, to streamline the assessment process, to quantify risks, or to communicate results. In the remainder of the thesis, I propose several model-driven modelling and analysis approaches which can be used stand-alone but can also augment existing risk management processes. The approaches are centered around three modelling paradigms:
- Tangible modelling - i.e. ``physical'' modeling using graspable three-dimensional tokens - and its benefits on the collaborative effort required to construct correct and complete models of socio-technical systems. I conclude that tangible modelling can reduce the modelling effort - especially when modelling is done as a group - and that it has beneficial effects on the quality of the resulting models when the modellers have a technical background. These effects are significant if there is some relationship between the appearance of the tangible tokens and their meaning. But they are heavily mitigated by the profile of the modellers: people with a technical background produce tangible models which closely adhere to the prescribed syntax of the language while people with a background in social sciences tend to produce rich pictures.
- Argumentation modelling - i.e. recording the rationale behind claims - and how it can support the security decision making process. Results show that structuring the risk assessment as a set of arguments forces risk assessors to make their assumptions explicit and that maintaining a mapping between risks and countermeasures increases the defensibility of the resulting security requirements. Simple, informal argumentation structures provide a basis for making risk assessment more transparent, but also more collaborative.
- Value modelling - i.e. understanding the value transfers which underpin any commercial information system - and how they can be used to quantify risks, identify vulnerabilities to fraud, and rationalize processes. I find that value models, and in particular the e3value modelling ontology, provide the ability to quantify risks in terms of their business impact. I show how the ontology - with a small extension - can be used to automatically generate and rank fraud scenarios. Finally, I propose an approach for extracting value models from process models which opens the door to rationalizing business processes in terms of their financial sustainability.
The three approaches are in principle complementary, as they each address different aspects of risk assessment or different types of risk.
Overall, I find that conceptual models, especially ones with a usable graphical representation, increase justifiability by making the inner workings of the risk assessment easier to understand for both the assessors and external stakeholders. Justifiability is important because risk assessment of socio-technical systems (1) often involves experts from different domains, (2) needs to inform the broader Governance, Risk and Compliance capabilities, and (3) should be both defensible and re-visitable.
