Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security

Beautement, Adam; Coles, Robert S.; Griffin, Jonathan; Ioannidis, Christos; Monahan, Brian; Pym, David J.; Sasse, Angela; Wonham, Michael

doi:10.1007/978-0-387-09762-6_7

Cited by 50 publications

(50 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Plot of the number of policies against the likelihood of insider attacks to occurring (solid line), and the likelihood that employees will comply with the policies (dashed/dotted lines) [3,4]. Organisations want to be at the "sweet spot", where maximum compliance coincides with minimum number of policies (the dotted plot).…”

Section: Complex Trust Even More Complex Riskmentioning

confidence: 99%

“…Up to a point we are able to predict that new policies will benefit the organisation, based on a reasonable risk analysis-our actions to reduce insider threats do more good than harm to the organisation. Beyond that point, however, the added policies harm the organisation, either because employees do not comply, or because they disturb the work flow too much [3,4].…”

Section: • Who Should Have Access To What Information?mentioning

confidence: 99%

See 1 more Smart Citation

The Risk of Risk Analysis And its Relation to the Economics of Insider Threats

Probst¹,

Hunker²

2010

Economics of Information Security and Privacy

View full text Add to dashboard Cite

Insider threats to organisational information security are widely viewed as an important concern, but little is understood as to the pattern of their occurrence. We outline an argument for explaining what originally surprised us: that many practitioners report that their organisations take basic steps to prevent insider attacks, but do not attempt to address more serious attacks. We suggest that an understanding of the true cost of additional policies to control insider threats, and the dynamic nature of potential insider threats together help explain why this observed behaviour is economically rational. This conclusion also suggests that further work needs to be done to understand how better to change underlying motivations of insiders, rather than simply focus on controlling and monitoring their behaviour.

show abstract

Section: Complex Trust Even More Complex Riskmentioning

confidence: 99%

Section: • Who Should Have Access To What Information?mentioning

confidence: 99%

The Risk of Risk Analysis And its Relation to the Economics of Insider Threats

Probst¹,

Hunker²

2010

Economics of Information Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Our hypothesis, supported by a body of exploratory (e.g., [1,2]) and theoretical (e.g., [13,14]) work, is that a specific combination of mathematical systems modelling of the structure and dynamics of organizations and their behaviour and economic modelling of their security policy design and decision-making can deliver a framework within which the consequences of security policy and technology co-design decisions can be predicted and explored experimentally. The security systems of interest are often complex assemblies of agents, be they software or human, policies, and technology.…”

Section: Introductionmentioning

confidence: 98%

Compositional Security Modelling

Caulfield

Pym

Williams

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The nal publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-07620-121Additional information: Use policyThe full-text may be used and/or reproduced, and given to third parties in any format or medium, without prior permission or charge, for personal research or study, educational, or not-for-pro t purposes provided that:• a full bibliographic reference is made to the original source • a link is made to the metadata record in DRO • the full-text is not changed in any way The full-text must not be sold in any format or medium without the formal permission of the copyright holders.Please consult the full DRO policy for further details. Abstract. Security managers face the challenge of formulating and implementing policies that deliver their desired system security postures -for example, their preferred balance of confidentiality, integrity, and availability -within budget (monetary and otherwise). In this paper, we describe a security modelling methodology, grounded in rigorous mathematical systems modelling and economics, that captures the managers' policies and the behavioural choices of agents operating within the system. Models are executable, so allowing systematic experimental exploration of the system-policy co-design space, and compositional, so managing the complexity of large-scale systems.

show abstract

“…We build upon a range of ideas from the economics of information security [1,3,7] and mathematical systems modelling [5] to create a modelling methodology and framework for building models that can be used to predict the consequences of different policy choices.…”

Section: Introductionmentioning

confidence: 99%

Improving Security Policy Decisions with Models

Caulfield

Pym

2015

IEEE Secur. Privacy

Self Cite

View full text Add to dashboard Cite

Security managers face the challenge of designing security policies that deliver the objectives required by their organizations. We explain how a rigorous methodology, grounded in mathematical systems modelling and the economics of decision-making, can be used to explore the operational consequences of their design choices and help security managers to make better decisions. The methodology is based on constructing executable system models that illustrate the effects of different policy choices. Models are designed to be composed, allowing complex systems to be expressed as combinations of smaller, complete models. They capture the logical and physical structure of systems, the choices and behavior of agents within the system, and the security managers' preferences about outcomes. Models are parameterized from observations of the real world and the effectiveness of different security policies is explored through simulation. Utility theory is used to describe the extent to which security managers' policies deliver their security objectives.

show abstract

Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security

Cited by 50 publications

References 20 publications

The Risk of Risk Analysis And its Relation to the Economics of Insider Threats

The Risk of Risk Analysis And its Relation to the Economics of Insider Threats

Compositional Security Modelling

Improving Security Policy Decisions with Models

Contact Info

Product

Resources

About