Service security and privacy as a socio-technical problem

Bella, Giampaolo; Curzon, Paul; Lenzini, Gabriele

doi:10.3233/jcs-150536

Cited by 18 publications

(10 citation statements)

References 57 publications

(71 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Organisations can themselves be thought of as complex socio-technical systems (Davis et al , 2014). Indeed, Bella et al (2015) affirm that organisations comprise not only the software and hardware processes, but also people, physical objects and geographies. The main objective of this research is therefore: to develop a socio-technical systems framework to help identify and appropriately respond to any vulnerabilities that may result from the socio-technical gaps within the existing information and cybersecurity solutions …”

Section: Introductionmentioning

confidence: 99%

Socio-technical systems cybersecurity framework

Malatji

Solms

2019

ICS

View full text Add to dashboard Cite

Purpose This paper aims to identify and appropriately respond to any socio-technical gaps within organisational information and cybersecurity practices. This culminates in the equal emphasis of both the social, technical and environmental factors affecting security practices. Design/methodology/approach The socio-technical systems theory was used to develop a conceptual process model for analysing organisational practices in terms of their social, technical and environmental influence. The conceptual process model was then applied to specifically analyse some selected information and cybersecurity frameworks. The outcome of this exercise culminated in the design of a socio-technical systems cybersecurity framework that can be applied to any new or existing information and cybersecurity solutions in the organisation. A framework parameter to help continuously monitor the mutual alignment of the social, technical and environmental dimensions of the socio-technical systems cybersecurity framework was also introduced. Findings The results indicate a positive application of the socio-technical systems theory to the information and cybersecurity domain. In particular, the application of the conceptual process model is able to successfully categorise the selected information and cybersecurity practices into either social, technical or environmental practices. However, the validation of the socio-technical systems cybersecurity framework requires time and continuous monitoring in a real-life environment. Practical implications This research is beneficial to chief security officers, risk managers, information technology managers, security professionals and academics. They will gain more knowledge and understanding about the need to highlight the equal importance of both the social, technical and environmental dimensions of information and cybersecurity. Further, the less emphasised dimension is posited to open an equal but mutual security vulnerability gap as the more emphasised dimension. Both dimensions must, therefore, equally and jointly be emphasised for optimal security performance in the organisation. Originality/value The application of socio-technical systems theory to the information and cybersecurity domain has not received much attention. In this regard, the research adds value to the information and cybersecurity studies where too much emphasis is placed on security software and hardware capabilities.

show abstract

Section: Introductionmentioning

confidence: 99%

Socio-technical systems cybersecurity framework

Malatji

Solms

2019

ICS

View full text Add to dashboard Cite

show abstract

“…(vii) Socio-techno-political aspects: The role of data in a wide range of platforms has in the last decade had large influence on many people's decision-making processes related to politics, economics, entertainment, and many others. Clearly, the increasingly central role of users in these environments creates opportunities for malicious actors, and the landscape of cybersecurity issues is expanding [4].…”

Section: Desiderata For Explanations In Cybersecuritymentioning

confidence: 99%

On the Importance of Domain-specific Explanations in AI-based Cybersecurity Systems (Technical Report)

Paredes,

Teze,

Simari

et al. 2021

Preprint

View full text Add to dashboard Cite

With the availability of large datasets and ever-increasing computing power, there has been a growing use of data-driven artificial intelligence systems, which have shown their potential for successful application in diverse areas. However, many of these systems are not able to provide information about the rationale behind their decisions to their users. Lack of understanding of such decisions can be a major drawback, especially in critical domains such as those related to cybersecurity. In light of this problem, in this paper we make three contributions: (i) proposal and discussion of desiderata for the explanation of outputs generated by AI-based cybersecurity systems; (ii) a comparative analysis of approaches in the literature on Explainable Artificial Intelligence (XAI) under the lens of both our desiderata and further dimensions that are typically used for examining XAI approaches; and (iii) a general architecture that can serve as a roadmap for guiding research efforts towards the development of explainable AI-based cybersecurity systems-at its core, this roadmap proposes combinations of several research lines in a novel way towards tackling the unique challenges that arise in this context.

show abstract

“…User A user is modelled as a non-deterministic entity, so she may choose any of the paths of interaction that the browser offers, namely Type/ClickURL or ClickButton. This means that our model user is the best approximation at capturing all possible personas that a real-world user may express [11]. It is also the most pessimistic assumption from a security standpoint; therefore, a ceremony that is secure for a non-deterministic user in the model will be secure for any user in practice.…”

Section: Description Of the Main Uml Activitiesmentioning

confidence: 99%

“…However, there seems to exist no standard approach to analyzing socio-technical properties and, in particular, to effectively modelling the user in support of that analysis. While this is subject of significant international effort, as demonstrated by the vast related work (Section 2), we base our work upon the recent ceremony concertina traversal methodology [11]. It prescribes selective focus on the layers that interpose between society and each technical system, and leverages on a previously identified layering of a ceremony [10].…”

mentioning

confidence: 99%

“…While layer IV is the traditional playground for researchers from the Humanities, and the lower layers for researchers from Computer Science and Engineering, layer III is the meeting point for the trans-disciplinary discourse at the basis of inherently socio-technical analysis. It is therefore considered particularly challenging at present [11].Article outline. After the related work discussed in Section 2, we position our work and detail the different aspects of certificate validation in Section 3.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Invalid certificates in modern browsers: A socio-technical analysis

Giustolisi

Bella

Lenzini

2018

JCS

Self Cite

View full text Add to dashboard Cite

The authentication of a web server is a crucial procedure in the security of web browsing. It relies on certificate validation, a process that may require the participation of the user. Thus, the security of certificate validation is socio-technical as it depends on traditional security technology as well as on social elements such as cultural values, trust and human-computer interaction.This manuscript analyzes extensively the socio-technical security of certificate validation as carried out through today's most popular browsers. First, we model processes, protocols and ceremonies that browsers run with servers and users as UML activity diagrams. We consider both classic and private browsing modes and focus on the certificate validation. We then translate each UML activity diagram to a CSP# model. The model is expanded with the LTL formalization of five socio-technical properties pivoted on user involvement with certificate validation. We automatically check whether the CSP# models are socio-technically secure against Man-in-the-Middle attacks using the PAT model checker. The findings turn out to be far from straightforward. From them, we state best-practice recommendations to browser vendors. 3 validation. The mix of new browsers, modes, and properties increases the 16 scenarios analyzed in the previous paper to this manuscript's 60 scenarios. A disclaimer is in order that the proposed list of properties is not meant to be complete; however, our browser models are fairly well detailed, for example by allowing for the reception of a newly issued certificate to replace the older, expired one.The intellectual value that this manuscript gains is at least twofold: (i) it makes three best-practice recommendations to browsers upon the basis of the additional findings on the new set of browsers and modes; (ii) it finds two bugs in Safari, respectively one in Safari for OS X and one in Safari for iOS, which (we reported to Apple getting a reply that a fix would be available in the upcoming versions of the browser, and) are now filed with the vulnerability identifier CVE-2015-5859 [6,56]. It is also worth noting that, after our conference paper observed that Opera Mini fails to prompt the user in case of invalid certificate [12], a new version of the browser fixed this issue.Socio-technical analysis. Ellison coined the concept of a ceremony extending "the concept of network protocol by including human beings as nodes in the network" [25]; therefore, a ceremony is a technical system extended with its human users and the possible interactions between the system and its users . A ceremony extends the notion of protocol to include interactions, messages, and behaviours of the social components. Similarly, the term socio-technical system refers to the system including its social components [29]. Therefore, analyzing a ceremony means to conduct a socio-technical analysis focusing on socio-technical properties. It is somewhat understood that a socio-technical property pertains to how user choices affect a traditional property o...

show abstract

Service security and privacy as a socio-technical problem

Cited by 18 publications

References 57 publications

Socio-technical systems cybersecurity framework

Socio-technical systems cybersecurity framework

On the Importance of Domain-specific Explanations in AI-based Cybersecurity Systems (Technical Report)

Invalid certificates in modern browsers: A socio-technical analysis

Contact Info

Product

Resources

About