Report
Reference
OPPRIM: Opportunity-Enabled Risk Management for Trust and Risk-Aware Asset Access Decision-Making
SEIGNEUR, Jean-Marc, et al. & Commission Européenne
Abstract
Nowadays BYOD and mobile work are a reality even if they challenge traditional security perimeters and risk management that mainly focus on the threats that these mobile opportunities create. They do not consider their potential benefits, e.g., if a user cannot work when being paid then the productivity is lower. It is the reason that in this paper we introduce a new risk management model, called OPPRIM, where opportunities are also taken into account. We first start by surveying previous work showing that opportunities have been underestimated. Then we detail our OPPRIM model. Finally we present the results of our evaluations through a user survey, quantitative data analysis at company level and simulations. For further enhancements, we have released an open-source OPPRIM simulator of more than 30 000 lines of Java code available on Github.
SEIGNEUR, Jean-Marc, et al . & Commission Européenne. OPPRIM: Opportunity-Enabled Risk Management for Trust and Risk-Aware Asset Access Decision-Making . Genève : Commission Européenne, 2015, 20 p.
Available at:
http://archive-ouverte.unige.ch/unige:46443
Disclaimer: layout of this document may differ from the published version.
OPPRIM: Opportunity-Enabled Risk Management for Trust and Risk-Aware Asset Access Decision-Making
JEAN-MARC SEIGNEUR, University of Geneva, Information Science Institute CARLOS BALLESTER LAFUENTE, University of Geneva, Information Science Institute XAVIER TITI, University of Geneva, Information Science Institute
JONATHAN GUISLAIN, University of Geneva, Information Science Institute
Nowadays BYOD and mobile work are a reality even if they challenge traditional security perimeters and risk management that mainly focus on the threats that these mobile opportunities create. They do not consider their potential benefits, e.g., if a user cannot work when being paid then the productivity is lower.
It is the reason that in this paper we introduce a new risk management model, called OPPRIM, where opportunities are also taken into account. We first start by surveying previous work showing that opportunities have been underestimated. Then we detail our OPPRIM model. Finally we present the results of our evaluations through a user survey, quantitative data analysis at company level and simulations. For further enhancements, we have released an open-source OPPRIM simulator of more than 30 000 lines of Java code available on Github.
Categories and Subject Descriptors: K.6.5 [Security and Protection]: Unauthorized Access General Terms: Design, Management, Security, Economics
Additional Key Words and Phrases: Risk management, trust management, asset access decision-making INTRODUCTION
1.
In traditional computer security, a trusted computing environment means that the environment is assumed to be implicitly trustworthy with neither explicit evidence nor a real time assessment of its trustworthiness. This assumption works well in closed corporate environments, where all computers are administered by knowledgeable administrators, which we call Chief Security Officers (CSO), and all users have signed an employment contract and are granted the minimum rights they need to carry out their work.
Unfortunately, nowadays, mobile corporate users increasingly use computing environments in many other places than the corporate offices, accessing corporate information, corporate assets, from homes, airports, customers’ offices, conferences centers, coworking places, etc. They often also use their own devices as part of the Bring Your Own Device (BYOD) trend. Moreover, there are more and more projects where different companies and contractors have to collaboratively work together.
Thus, the trustworthiness in both employees and external collaborators, who have no direct employment contract with the company of the CSO, has to be taken into account in a more dynamic way. The computing environments are not fully controlled by the corporate IT administrators. Thus, new means to dynamically assess if access to corporate assets should be granted or not are needed, taking into account as part of risk calculation not only the trust in the current computing environment but also the trust in the requesting user without compromising the user’s privacy right, especially if the user is not a direct employee and in a country with privacy-friendly laws.
This work is supported by the European Commission, under grant 318508, project MUSES, Multiplatform Usable Endpoint Security, FP7-ICT-2011-8, Trustworthy ICT.
Authors’ address: Medi@LAB and ISI/ISS, GSEM and SdS Faculties, CUI, Battelle Bât. A, 7 route de Drize, CH-1227 Carouge, Switzerland.
In Section 2, we discuss how, from a corporate point of view, the BYOD and mobile work trend clearly challenge traditional IT risk management methodologies and related work. Section 3 presents the design of our new risk management model, called OPPRIM, which not only takes into account threats but also these BYOD and mobile work opportunities. In Section 4, we evaluate our model through simulations and users feedback from online surveys statistically significant and representative of USA Web users population. Section 5 concludes and discusses future work.
STATE OF THE ART AND RELATED WORK 2.
In this section, we first discuss risk management methodologies state of the art and then related work aiming at going beyond this state of the art.
Risk Management State of the Art 2.1
Risk management is a broad field applied in many other application domains than Information Technology (IT), for example, nuclear power plants, with many different methodologies. Fortunately, in 2005 the European Network and Information Security Agency (ENISA) set up an ad hoc Working Group on "Technical and Policy Aspects of Risk Assessment and Risk Management" involving experts from eight Member States who cooperated through regular meetings within eight months. They produced an overview of existing risk methodologies and the relevant players in this field, and comparison of the different methodologies [ENISA 2006].
ISO 27005 (information security risk management) underlines that risk management in the information security application domain relies on threat modeling. As Shostack [Shostack 2008] underlines, there are three main types of threat modeling approaches:
• Asset-driven threat modeling focuses on the assets that attackers may attack including how they could attack them
• Attacker-driven threat modeling focuses on understanding the capabilities of the potential attackers who would want to attack. It works well for “a foreign army with a known strategic doctrine, physical world limits, and long-lead-time weapons systems development. This works less well when your adversary is a loosely organized group of anonymous hackers.” [Shostack 2008]
• Design-driven threat modeling is threat modeling based on the security perimeter of software components where diagrams are drawn at design time to understand what can go wrong with each component, for example, following the STRIDE threat model (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege) [Howard and Lipner 2003]
In our work, the assets are more related to corporate assets that are accessed by employees or users who want to have access to those assets in order to carry out their work. Decision-making must be carried out to decide if those requesting users must be granted access or not.
In our work, we define an asset as follows based on an adaption of the definition of asset in ISO/IEC IS 13335-1 [ISO 2008] where we have replaced owner by organization.
Definition 1 (Asset). An asset is anything that has value to the owner. An asset may be tangible or intangible, hardware, software, data, buildings,
infrastructure, but also products, knowledge resources, customer relationships or reputation.
ISO/IEC IS 13335-1 [ISO 2008] defines vulnerability as follows:
Definition 2 (Vulnerability). Vulnerability is a weakness of an asset that can be exploited by one or more threats.
“Vulnerabilities can exist in all parts of an IT system, e.g., in hardware or software, in organizational structures, in the infrastructure or in personnel” [ISO 2008].
The ISO/IEC Guide 73 [ISO 2009] defines an event as follows:
Definition 3 (Event). An event is an occurrence of a particular set of circumstances. The event can be certain or uncertain. The event can be a single occurrence or a series of occurrences. In our work, an event has thus a probability and an outcome.
Definition 4 (Outcome). An outcome can range from positive to negative and be expressed qualitatively or quantitatively. There can be more than one outcome from one event. In our work, an event has an outcome with a cost or benefit expressed in Euros.
We use the ENISA [ENISA 2006] definition of probability:
Definition 5 (Probability). A probability is the extent to which an event is likely to occur from 0 to 1.
We define a threat according to ISO/IEC IS 13335-1 [ISO 2008] where negative consequence is replaced by harm:
Definition 6 (Threat). A threat is any action or event with the potential to cause negative outcome(s).
According to ENISA [ENISA 2006]:
Definition 7 (Security incident). A security incident is an event that has been assessed as having an actual or potentially adverse effect on the security or performance of a system.
The phase of informing the user is an important part of risk management and usually called “risk communication” [ENISA 2006]. It is the reason we adopt the two following definitions from ISO/IEC Guide 73:
Definition 8 (Risk communication). Risk communication is a process to exchange or share information about risk between the decision-maker and other stakeholders. The information can relate to the existence, nature, form, probability, severity, acceptability, treatment or other aspects of risk.
Definition 9 (Risk treatment). Risk treatment is a process of selection and implementation of measures to modify risk. Risk treatment measures can include avoiding, optimizing, transferring or retaining risk.
The ISO/IEC Guide 73 [ISO 2009] defines the risk estimation process as the process to assign values to the probability and consequences of a risk. It can consider cost, benefits, the concerns of stakeholders and other variables, as appropriate for risk evaluation. However, one report on the consumerisation of IT from the ENISA [Clarke et al. 2012] underlines that potential benefits are a major aspect that has not been taken into account in standard threat methodologies: “As regards opportunities, due to missing standardized definitions” [Clarke et al. 2012]. There may be also positive consequences of an action or event and risk management tends to focus on negative outcomes and negative events, i.e., threats.
The BYOD and mobile work trend are spreading in corporate environments because, although they introduce risks of attacks when the users are outside of the company, they bring many opportunities with beneficial outcomes that users expect anyway:
work from anywhere, fewer unproductive paid times, etc. Thus, based on the ENISA [Clarke et al. 2012] report, we have defined opportunity as any action or event with the potential to cause positive outcome(s).
Beyond the State of the Art Related Work 2.2
Han et al. [Han et al. 2010] also underline that opportunities have not been enough taken into account, especially in the field of access control. In their paper, they argue that a few researchers studied the risk of allowing access requests, but few of them explicitly cared about the risk of denying access requests, i.e., the potential benefit loss of allowing the access. In their work, they have two types of benefit: intentional and inadvertent. By intentional benefit, they mean the benefit that an administrator explicitly knows before the action is done, whereas by inadvertent benefit they mean the benefit that the administrator does not know before the action is done, which we materialize in our work as an opportunity descriptor. They only calculate the intentional benefit, and ignore the inadvertent benefit. Thus, our work, as detailed in Section 3, goes a step further by allowing the user or system to specify the opportunity, i.e., the inadvertent benefit, behind the access request.
Zhang et al. also worked on introducing benefits in addition to threats in their Benefit And Risk Access Control (BARAC) model [Zhang et al. 2006]. They defined risk and benefit as two vectors used to make the decision by balancing risks of information disclosure with benefits of information sharing. Our model is not only focused on information sharing scenarios and covers more steps of risk management including risk communication, risk treatments and opportunities specifications in different scenarios types.
Baracaldo and Joshi extend role-based access control (RBAC) with risk and trust management in order to mitigate insider threats, i.e., internal legitimate users who might want to steal some assets of the company [Baracaldo and Joshi 2012]. They use a Colored Petri-net to model the history of access and try to infer suspicious or risky access leading to lowering the trust value in the user involved in this suspicious access. In their example, they consider a soap-making company whereby the access request would concern the list of providers. They assume that the provider list is considered sensitive, as its information provides the company a competitive advantage. They assume that its leakage would cost around $30,000. They also fix a static probability of occurrence of this event according to their system’s configuration, leading to a risk of $3,000. They assign a trust value in the user between 0 and 1, from no trust to full trust. However, they assume there is a system, which is beyond the scope of their work, assigning automatically this trust value. In contrast to our work, their framework requires an administrator to provide the risk values associated with each permission in the system whilst our framework automatically computes the risk in real-time at request time. Similarly to our work, they evaluate their framework through simulations and we assign asset costs in the same range that they have done. Regarding their trust value in the user, they do not detail how that trust value would be computed and they even assume that it would be computed according to a proven computational trust metric developed by others. Our paper also concentrates on the risk aspect of our model where the trust value in the user may be
computed and used as part of the risk calculation but we do not argue in this paper that we have developed a user trust metric going beyond the state of the art.
As Shaikh et al. underline, in traditional multi-level security systems, that trust and risk values require manual intervention of the CSO, security technician or administrator [Shaikh et al. 2011]. In nowadays BYOD and mobile work environments, they argue that a flexible risk-based access control decision system should keep track of the outcomes of allowing access of users to resources, and determine future access decisions on the basis of these outcomes and that no existing risk-based access control methods takes into consideration such variability. Thus, they create a system where trust values in users are computed based on the positive or negative outcomes of their previous actions. It is a similar approach that we use in our work to compute the trust value in the user. Again similarly to us, they evaluate their work through numerical simulation proving that their proposed risk-based access control decision methods are adaptive and moderately increase or decrease all users’ access rights to resources based on their past behavior.
So there are different trust metrics in previous work that could be used to compute the trust in a user. A computational model of trust based on social research was first proposed by Marsh [Marsh 1994]. In social research, there are three main types of trust: interpersonal trust, based on past interactions with the trustee; dispositional trust, provided by the trustor’s general disposition towards trust, independently of the trustee; and system trust, provided by external means such as insurance or laws [McKnight and Chervany 1996]. Trust in a given situation is called the trust context.
In Marsh’s model, each trust context is assigned an importance value in the range [0,1] and utility value in the range [-1,1]. Any trust value is in the range [-1,1), from very untrustworthy to very trustworthy. In addition, each virtual identity is assigned a general trust value, which is based on all the trust values with this virtual identity in all the trust contexts. Dispositional trust appears in the model as the basic trust value: it is the total trust values in all contexts in all virtual identities with whom the trustor has interacted so far. Risk is used in a threshold for trusting decision making.
In the human world, trust exists between two interacting entities and is very useful when there is uncertainty in result of the interaction. The requested entity uses the level of trust in the requesting entity as a mean to cope with uncertainty, to engage in an action in spite of the risk of a harmful outcome. There are many definitions of the human notion trust in a wide range of domains, with different approaches and methodologies: sociology, psychology, economics, pedagogy, etc. These definitions may even change when the application domain changes. However, it has been convincingly argued that these divergent trust definitions can fit together [McKnight and Chervany 1996]. Romano’s recent definition tries to encompass the previous work in all these domains.
Definition 10 (Trust). “Trust is a subjective assessment of another’s influence in terms of the extent of one’s perceptions about the quality and significance of another’s impact over one’s outcomes in a given situation, such that one’s expectation of, openness to, and inclination toward such influence provide a sense of control over the potential outcomes of the situation” [Romano 2003].
Interactions with uncertain results between entities also happen in the online world.
So, it would be useful to rely on trust in the online world as well. However, the terms trust, trusted, trustworthy and the like, which appear in the traditional computer
science literature, have rarely been based on these comprehensive multi-disciplinary trust models and often correspond to an implicit element of trust – a limited view of the facetted human notion of trust. Trusted computing is important to try to better know if a computing platform is trustworthy. Krishna and Varadharajan [Krishna and Varadharajan 2011] have proposed a model that encompasses the notions of 'hard' and 'soft' trust to determine whether a platform can be trusted for authorization. Blaze et al. [Blaze et al. 1996] coined the term “decentralized trust management" because their approach separates trust management from application:
their PolicyMaker introduced the fundamental concepts of policy, credential, and trust relationship. Terzis et al. [Terzis et al. 2005] argued that this model of trust management still relies on an implicit notion of trust because it only describes “a way of exploiting established trust relationships for distributed security policy management without determining how these relationships are formed”.
A number of other major trust models have followed Marsh’s one [Govindan and Mohapatra 2012; Grandison and Sloman 2000; Kevin Hoffman and Nita-Rotaru 2007;
Medi 2012; Seigneur 2005]. Castelfranchi and Falcone argue for a trust engine based on cognitive science where the main trust evidence type comes from the entity’s belief and goals structure rather than probabilistic quantitative views, economics or game theory [Castelfranchi and Falcone 2000]. Dimmock concludes in his PhD thesis that more work with regard to the risk of the situation must be done and especially with regard to the time element of risk: “one area that the framework does not currently address in great detail is the notion of time” [Dimmock 2005]. A recent survey of trust models for multi-agent systems still underlines that “among these trust models, risk received the least attention. The element of risk is a very critical factor for each interaction; hence, there is a need to incorporate more consideration for risk in designing future trust models” [Balakrishnan and Majd 2013]. It is the reason that in the next sections, we focus on how the risk aspect of our model goes beyond the state of the art whilst the trust metric is assumed being part of the model but not a key novelty. As already underlined in the introduction, computing trust values in users based on their previous actions is also prone to legal issues due to privacy laws that limit what can be stored and computed about a user, especially in privacy-friendly countries such as Belgium [Van Der Sype and Seigneur 2014].
OPPORTUNITY-ENABLED RISK MANAGEMENT (OPPRIM) DESIGN 3.
Based on the above previous work that underlines the importance of allowing opportunities in current BYOD/mobile working environment, we have adapted the definition of risk from ISO/IEC 13335-1 [ISO 2008] that did not take into account potential benefits.
Definition 11 (Risk). Risk is the combination of the probability that a given threat will successfully exploit vulnerabilities of an asset or group of assets with the cost of the negative consequences to the owner balanced with the benefit of the positive consequence of an available opportunity.
And then we also introduce the definition of an opportunity:
Definition 12 (Opportunity). An opportunity is any action or event with the potential to cause positive outcome(s).
Thus, in our model, we have two main types of events used for decision-making:
threats with potential cost in Euros; opportunities with potential benefits in Euros. .
We use an object oriented (OO) model for the design. We mention in the remaining of the paper a few classes of this OO model starting with upper-case letters and with concatenated words also starting with an upper-case letter if needed. For example, Opportunity and Threat are two classes modeled as subclasses of a RiskEvent class.
For example, in our BYOD/mobile work environments, the benefit of letting the user accessing the asset that she wants to access could be computed based on the hourly cost of the user, who otherwise could not work because she is at an airport without other opportunities to work if she has not access to this company asset. For a start, because it is difficult to automatically infer the opportunities at hands of a user, we provide a user interface as depicted in Figure 1 that the users can use to specify their opportunities as part of an OpportunityDescriptor. We are working on means to automatically infer opportunities based on mining the user’s context, e.g., by mining the user’s online calendar and location, the computational engine would infer that the user is at the airport waiting for her next flight in one hour time. Thus, the user may not have to fill manually opportunity descriptors. In Section 4, we present the results of a user survey that we carried out to know what the users would think of such a step during which they would have to specify their opportunity.
Figure 1. OpportunityDescriptor mockup
Regarding the value of the Asset, it would be estimated a priori by the CSO or security technician, as depicted in step 1 of Figure 2, for example, the value of the confidential documents required for a patent proposal may be estimated a priori as previous work did, e.g., $30,000 for a provider list in [Baracaldo and Joshi 2012]. The CSO would also configure the RiskPolicy in step 2. Subsection 3.2 details what kind of risk policy has to be configured in OPPRIM. Step 3 is triggered each time a user makes an AccessRequest to one of the digital Assets, e.g., stored in the company remote server. The company remote server contains what we call a Real-Time Risk and Trust Analysis Engine (RT2AE) as delimited by the dotted rectangle on the right
side of Figure 2 that has been configured with the RiskPolicy and the Assets values.
Once the server receives the AccessRequest, it passes it to the RT2AE for Decision making. In addition to the RT2AE software extending the server, the mobile application on the remote user’s mobile device making the AccessRequest is extended with software able to display any RiskCommunication sent back by the RT2AE as part of the Decision and to sense a few Clues during step 4 regarding the context of the device, e.g., its location, whether it has an up-to-date anti-virus or not, whether it is using an open Wi-Fi or a WPA2 protected one… Those Clues are used to infer the potential Threats at time of AccessRequest at step 5. Subsection 3.1 below details how Threats are created and their probabilities are updated. Step 6 concerns inferring the OpportunityDescriptor without manual intervention by the user if possible. Then in step 7, the costs of the potential Threats are balanced with the benefits of the Opportunity according to the define RiskPolicy.
Figure 2. High-level view of OPPRIM main steps
Depending on this balance and RiskPolicy, four main types of Decision are possible in step 8:
• Granted: in this case, the user may not even have to be disturbed by a RiskCommunication message saying that that access has been granted, i.e., just being able to access the asset as usually, in a Weiser’s disappearing computing vision [Weiser and Brown 1996].
• Strong deny: in this case, the user sees a message that in this situation, she cannot access the requested asset and no RiskTreatment is possible to change that Decision. The sequence of steps would end at this point.
• Maybe: Access to the asset may be granted if RiskTreatments are applied. In this case, one or more possible RiskTreatments are displayed to the user as part of the RiskCommunication in step 9. For example, the user who is willing to access a company asset from an airport remote location may be
informed that it should rather not use the open Starbucks airport Wi-Fi and go to the nearby airport business lounge, which is known to be more secure.
Another type of RiskTreatment may be the display of the OpportunityDescriptor user interface that the user could use to refine the description of the opportunity in order to better grasp the potential benefit of granting the current request. If the user successfully applies the RiskTreatments, then she may have access to her requested assets. Steps 10 and 11 are thus optional since they might not happen, e.g., if the Decision is Granted or the user does not want to carry out further RiskTreatments.
• On your own risk: For example, that type of Decision corresponds to the usual case when a user is warned that an HTTPS connection is untrusted by the Web browser but that the user can add an exception “I understand the risk”
and still access the Web site as depicted in Figure 3. Although letting the user choosing herself ends up often by the user deciding to access the asset because the user does not believe the risks behind the access and wants to access anyway, our model acknowledges that it is common practice and an
“On your own risk” Decision is possible. The RiskCommunication of such a Decision contains a list of detailed risks explaining to the user that she might decide to access the assets but that a number of detailed risks remain.
Figure 3. Standard Web browser untrusted connection risk communication However in our model we also display that if the negative outcomes of the risks displayed to the user happen in the future, the user might be taken liable and her UserTrustValue would decrease. Another improvement in our model is that RiskCommunication may also contain a list of possible RiskTreatments that may be carried out rather than just accessing the Asset in the current risky context. Thus, that type of Decision is an extension of the
“Maybe” Decision type where the user may decide to access the asset in spite of the risk and without carrying out possible RiskTreatments.
Threats creation and update 3.1
Step 5 of our OPPRIM model requires inferring the current Threats and their probability, especially the Threats surrounding the mobile device of the user.
Although the mobile app accessing the Asset may be able to call advanced threats monitoring tools such as professional anti-virus to fulfill this requirement, we present below a standalone version that we have used in our simulations evaluation in Section 4.
Let be a Clue c ∈ C the set all possible clues, any kind of pieces of evidence of the presence of a Threat, which can be sensed by the extended mobile application trying to access an Asset and going through the RT2AE for getting the Decision. For example, 𝑐! corresponds to the clue that the user is running an up-to-date anti-virus on her mobile device, 𝑐! corresponds to the clue that she is connected to a WPA2 protected Wi-Fi, 𝑐! corresponds to the clue that she is at Geneva airport. From the AccessRequest, we know that the request is made from which device through its id, clue 𝑐!, the user id, which corresponds to the clue 𝑐! and which Asset is concerned, corresponding to clue 𝑐!. From the Asset, we derive the Threat cost, which corresponds to the Asset value if it would get compromised. Regarding the Threat name, although it is easier for humans to create easy to remember names such as
“Phishing” or “Sniffing”, as it concerns automated Threats creation and updates in the RT2AE, we simply define the Threat name as the Set of current Clues. In our example, the Threat name would be the set 𝑐!,𝑐!,𝑐!,𝑐!,𝑐!,𝑐! . Intuitively such set represents the situation whereby the Asset is going to be used and may be compromised if the situation was too risky. Such sets also takes into account that the current user may be a Threat to the Asset with more or less probability where user Threat probability = 1 - UserTrustValue ∈ ℜ[0,1], 0 for the UserTrustValue meaning fully untrustworthy and 1 fully trustworthy. A new Threat may be created from a subset of the Threat Clues and its probability derived from the probability of the initial Threat. However, we leave update of subsets of Threats Clues for future work and concentrate on current Threat Clues Set probability computation. As we have no threats history, any Threat starts with a probability of 0,5. A Threat gets updated in step 15 of Figure 2 when a SecurityIncident has been reported in previous step 14 and the Threat has been found as the root cause of this SecurityIncident. In our evaluation simulations in Section 4, the Threat probability is based on the number Security Incidents generated by a Threat divided by the number of times this Threat situation has happened.
OPPRIM formalism and RiskPolicy configuration 3.2
In this section, we present how we could formalize our OPPRIM model. Then we give a few example of the use of this formalism for OPPRIM. Finally, we explain how the RiskPolicy could be specified by the CSO when OPPRIM is used.
Let be an opportunity at hand opp ∈ OPP the set all possible opportunities.
Let be an outcome o ∈ O the set of all outcomes and O ⊇ Oh the subset of future possible outcomes given that an outcome oh has happened.
Let opp potentially leading with a probability 𝑝!"" ∈ ℜ[0,1] to m ∈ ℵ ≥ 1 outcomes with a benefit of 𝛼!𝑏!""! with 𝛼! ∈ ℜ[0,1] and maximum benefit of 𝑏!""! ∈ ℜ+ with i ∈ ℵ[1,m].
Let opp potentially opening the door to x ∈ ℵ threats t ∈ T, the set all possible threats, with probabilities 𝑝!! ∈ℜ[0,1] with j ∈ℵ[0,x-1] if x ≥ 1 else no threat exists, leading for each threat to n outcomes with a cost 𝛼!𝑐!!
! with 𝛼! ∈ ℜ[0,1] and maximum cost of 𝑐!!
!∈ℜ+ with k ∈ℵ[0,n-1] if n ≥ 1 else k does not exist.
Let bal be the balance resulting from the costs paid for the potential threats that have happened due to the taken opportunities that have generated savings:
𝑏𝑎𝑙= 𝛼!𝑏!""!− 𝛼!𝑐!!
!
!!!
!!!
!!!
!!!
!
!!!
Formula 1. Balance of Threats costs and Opportunities benefits
• If the opportunity is taken,
o the best-case balance balbc∈ℜ possible is:
𝑏𝑎𝑙!"= 𝑏!""!
!
!!!
Formula 2. Best-case balance if Opportunity is taken o the worst-case balance balwc∈ℜ possible is:
𝑏𝑎𝑙!"=− 𝑐!!
!
!!!
!!!
!!!
!!!
Formula 3. Worst-case balance if Opportunity is taken
• If the opportunity is not taken,
o the worst-case balance 𝑏𝑎𝑙!" ∈ ℜ possible, which happens if the opportunity is lost forever and if z threats that could have happened due to this opportunity have happened due to another reason afterwards and cannot be recovered leading to y negative outcomes, is:
𝑏𝑎𝑙!"=− 𝑏!""!
!
!!!
− 𝑐!!
!
!!!
!!!
!!!
!!!
Formula 4. Worst-case balance if Opportunity is not taken and lost forever o the most common balance may be:
𝑏𝑎𝑙!"##"$=− 𝑏!""!
!
!!!
Formula 5. Common worst-case balance if Opportunity is not taken Straightaway, the above formalism allows us to select the most profitable opportunity if several opportunities are at hand. One may also think of a sequence of opportunities whereby an accomplished opportunity may open the door for further opportunities. Thus, in this case, the profitability of the full sequence of opportunities would have to be taken into account when deciding whether or not engaging with an opportunity or not.
Let us take the example of a mobile worker having two hours to wait at the airport and triggering the opportunity to work with a few assets. First, if there is no attack while the mobile worker is at the airport, then the opportunity benefit would be
estimated at 2 hours multiplied by the hourly salary cost of the employee, e.g., 300 euros if the hourly cost is 150 euros per hour assuming the employee is trustworthy and really spend the 2 hours working and not surfing the Web or else:
𝑏𝑎𝑙!"=𝛼!𝑏!""! =𝛼!300=1 × 300=300
If the work at the airport would require accessing some valuable background material such as the results of a market study paid 15000 euros then this work would introduce the potential threat of an attacker stealing the market study while being accessed over the network:
𝑏𝑎𝑙!"=− 𝛼!𝑐!!
!=−𝛼!𝑐!!
! =−1 × 15000
!
!!!
!
!!!
=−15000
If the work at the airport would require accessing some public material such as the draft of an advertisement poster aimed at being public anyway then this work would introduce the potential threat of an attacker stealing the public material while being accessed over the network but the cost in this case is 0 as it is already aimed at being public.
𝑏𝑎𝑙!"=− 𝛼!𝑐!!
!=−𝛼!𝑐!!! =−1 × 0=0
!
!!!
!
!!!
In the latter OPPRIM example case, as the cost is null, although the CSO may have configured a corporate security rule stating that an employee cannot access any corporate data outside of the company premises, it would be beneficial for the company to let the user work at the airport on the public poster. It is the reason that we introduce a higher-level policy called the RiskPolicy on top of fixed corporate security rules. The RiskPolicy may be processed in parallel to the fixed corporate security rules and take over those rules if the probability of a positive balance is very high and the company through its CSO is willing to reap the fruits of the opportunities in spite of some risk. The textual representation of such an example RiskPolicy could be:
Grant access if all fixed rules are fulfilled or if the cost of the threats introduced by the opportunity is lower than 1000 euros with a probability lower than 5% and the benefit of the opportunity is higher than the potential cost of the threats introduced by the opportunity with a probability higher than 75% even if all fixed rules are not fulfilled.
In order to be able to specify those RiskPolicy, we introduce the following arguments and operators:
• Arguments:
Let be cOppThreatsMax ∈ ℜ+ the maximum total cost introduced by the threats of the opportunity and the probability that this maximum total cost occurs 𝑝!""#!!"#$%&#'∈ ℜ[0,1]
Let be bOppMax the maximum benefit introduced by the opportunity ∈ ℜ+ and the probability that this maximum total cost occurs 𝑝!""#$% ∈ ℜ[0,1]
Let be 𝑝!!!∈ℜ[0,1] the probability that the benefit is higher than the cost
Let be ∀𝑅 a Boolean value meaning that all fixed rules r ∈ R the set of all possible fixed rules are fulfilled, ∀𝑅 meaning that all fixed rules are not fulfilled
Let be d a Decision among the following subset of Decisions as defined above {dGranted, dMaybe, dOnYourOwnRisk, dStrongDeny} ⊂ D the set of all Decisions: dGranted meaning that the access has been granted; dMaybe meaning that the access may be granted but after potential RiskTreatments as detailed above; dOnYourOwnRisk meaning that the access has remaining risks but the user is free to decide accessing the asset as detailed above; dStrongDeny meaning that the access has been denied.
• Operators:
Let be the available operators between all the above arguments:
=,≠,<,≤,>,≥, ( ), IF, THEN, ELSE, AND, NOT, OR
Thus, the above textual example RiskPolicy would be formalized as:
IF (((cOppThreatsMax < 1000 AND 𝑝!""#!!"#$%&#' <0.05) AND ((bOppMax - cOppThreatsMax) >0) AND (𝑝!!! > 0.75)) OR ∀𝑅) THEN dGranted
Formula 6. RiskPolicy example OPPRIM EVALUATION
4.
This section presents how we have evaluated our OPPRIM model. First, we have carried out a user survey in order to see how the users would react to specifying opportunities. Then we have evaluated quantitatively at a company level how much benefits could bring OPPRIM. Finally we have implemented an open-source simulator in Java on Github to evaluate how different risk policies and threat update algorithm would behave in different scenarios.
User survey 4.1
As depicted in Section 3, our OPPRIM model introduces a few new steps in the user experience of the users, such as the display of possible RiskTreatments and OpportunityDescriptor form, it is then interesting to evaluate it through user feedback, especially to improve the model with regards to user adoption.
It is the reason that we have carried out an online survey through Google Consumer Surveys service that targets an audience representing the US Internet population matching as close as possible to the distribution of people in the US by age, gender and location as reported in the US census current population survey.
The first question that we asked and used as a screening question for follow-up questions was “Have you already downloaded work-related documents to your laptop when you are out of your work office, e.g., from an airport?” 1156 users responded to this question whose answers “No” and “Yes” were displayed in a random order before the answer “I don't understand the question” that was shown in the last position to each respondent. The “No” is the statistically significant winning answer at 69% with 95% confidence interval as shown on Figure 4 as calculated using the Wilson score interval [Wilson 1927].
Figure 4. Answers to survey screening question
From the 846 “No” responses, the age as depicted in Figure 5 creates statistically significant differences with a 98% confidence interval. As expected intuitively, younger adults have more often downloaded work-related documents than 55+ years old adults.
Figure 5. Age differences with regard to “No” answer to question 1
Then, to the respondents who answered “Yes” to question 1, we asked the following question “Before downloading a work document to your laptop, how easy for you would it be to write in a text box why it is important for you to have it now rather than back at work?” As the survey time to answer more questions is higher, we got fewer answers. Among the 92 received answers, the trend was that the users felt it would be easier than difficult to write why they would need access to a company asset now than back at work as depicted in Figure 6.
Figure 6. Difficulty of writing why an asset is needed now by a user
Another question that we asked to the respondents who answered “Yes” to question 1 was “How easy for you would it be to estimate how much time you have to work with the downloaded work document before being back at your work office?” Again among the 92 received answers, the trend was that the users felt it would be easier than difficult to estimate how time they would have to work with the downloaded company asset as depicted in Figure 7.
Figure 7. Difficulty of estimating the available time to work on an asset Thus, this first type of results are encouraging with regard to the above OpportunityDescriptor mockup in Figure 1 because users seem confident in being able to write the reason why they would need access to an Asset now rather than later and how much time they would have to work on this Asset, which is useful to estimate the benefit of the opportunity based on the hourly cost of the user. Of course, the potential benefits of allowing users to work when outside of their office becomes more significant when the number of users is greater and it is why in the next subsection we have evaluated how much this benefit could be for a high number of users as found in consulting companies for example.
Quantitative Evaluation of OPPRIM at Company Level 4.2
Knowing that the end-users may be able to use OPPRIM is encouraging, however as OPPRIM deals with corporate assets, we have also to convince companies to use it. It is the reason that we have evaluated in this section, how much benefit would bring OPPRIM at a company level, encompassing all users and their use of it and not only at a user level whose benefits are less convincing. Consulting companies may have 100 or even 1000 mobile workers/consultants and this multiplication factor on the potential benefits brought by OPPRIM per user may be worthwhile. “Saving a few seconds of a person's time here and there may seem to be of little matter, but these seconds accumulate rapidly and build quickly to represent large dollar amounts”
when hundreds of users are concerned [Doherty and Thadhani 1982].
If we assume that company has 100 employees who are consultants and who have to wait on average 2 hours per month at airports whose cost for the company including charges is 200 $ per hour, then after a year if those consultants cannot access company assets files whilst waiting at these airports due to a too strict fixed company security rule stating that files must not be accessed from outside the company offices locations, all those potential working hours are lost for an amount of 480 000 $ per year not taking into account other value that may be created by letting those consultants working when waiting.
Since we have an evaluation of the potential benefit of these Opportunities, we should balance them regarding the costs of the Threats they introduce. In order to do so, we have used the Symantec Ponemon Institute data breach online calculator1. That institute has examined the real cost incurred by organizations, across industry sectors, after experiencing a real data breach SecurityIncident, since 2005. The data calculator uses was gathered with a survey instrument designed to collect descriptive
1 http://www.databreachcalculator.com/
information about the costs incurred either directly or indirectly concerning a data breach. The calculator after configuring a few parameters (company industry and assets types, location…) can calculate:
• the likelihood that a company will experience a data breach in the next 12 months
• the cost per record in the event of a data breach at that company
• the overall cost of a data breach at that company
If we assume that the company employing the 100 consultants above is in the financial services industry, handling less than 1000 customer data records including credit card information, possibly stored unencrypted on laptops, without a CSO, operating only in the USA, without strong authentication, e.g., two-factor authentication using hardware token, without formal security policy, not knowing the most likely cause of data breach, allowing its consultants to access remotely those assets either from a company device or BYOD, then the likelihood of experiencing a data breach in the next 12 months is of 10% with an average total cost of 102 611 $ and 205 $ per record.
If we assume the same configuration as above but with all the relevant security mechanisms in place, a CSO, encrypted storage on laptop, strong authentication with two-factor authentication using hardware token, with a formal enforced security policy, no remote access allowed at all, then the likelihood of experiencing a data breach in the next 12 months is of 9% with an average total cost of 89 556 $ and 179
$ per record.
It seems that even with add security mechanisms the likelihood to experience a data breach does not much vary. One may then question the cost of buying and maintaining those extra security mechanisms. In addition, in our example case, the average total cost of the data breach is lower than the benefits of the opportunities given by relaxed security rules for accessing company assets, such as, allowing their access from company devices or even BYOD. Thus, OPPRIM is even more interesting at company level, when the opportunities of all employees are taken into account.
Simulations with the Open-Source Swing Java-based OPPRIM Simulator 4.3
As our OPPRIM model allows for a large panel of Threat creation and update algorithms, RiskPolicies, trust and risk metrics, we have implemented an open- source Java-based OPPRIM simulator on Github2 with a Swing GUI as depicted in Figure 8. At time of writing the paper, the simulator has more than 30 000 lines of Java code.
In this section, we present the results extracted from this simulator for an initial risk metric based on our Threat creation and update mentioned in Subsection 3.1. As the simulator is open-source, others may extend it to come up with more advanced improve OPPRIM risk metrics.
We have decided to compare the results of our initial risk metric through simulation against a “no protection” scenario. In a no protection scenario, what we do is to get the maximum overall cost benefit for a given number of AccessRequests involving different users and assets under a known percentage of attack probability.
2 https://github.com/jmseigneur/opprim-sim
Figure 8. OPPRIM open-source Swing Java GUI screenshot
We have decided to first analyze our metric without taking into account Opportunities such as the loss of money cause by not letting an employee consultant work for an amount of time because she is not at her company office, thus losing an hour of salary doing nothing, and afterwards taking into account these kind of opportunities to have a more realistic simulation and to check whether it makes a difference in the overall metric’s results.
In our simulation, we have used a random number generator with a preset seed in order to be able to randomize our environment so it is as close to reality as possible, while still being able to repeat the simulations as many times as needed knowing the scenarios will always behave in the same way and thus we will obtain consistent results from different fixed parameters.
We have set our scenarios through the Java Swing GUI of our open-source simulator as follows:
• A set of users, according to a selected maximum amount is generated with a fixed hourly salary of 200 €/h and an initial UserTrustValue of 0,5 as mentioned in Subsection 3.1 a user may also be considered as a potential Threat, any user Threat starts with 0,5 probability. Thus, UserTrustValue = 1 – (user Threat probability).
• A set of Assets, according to a selected maximum amount is generated with a fixed value of 10 000 €, similarly to assignment of fixed values to Assets as mentioned in the related work [Baracaldo and Joshi 2012] in Subsection 2.2.
• A set of AccessRequests, combining one random user and one random Asset using the random number generator. The amount of AccessRequests generated is the result of multiplying the amount of users present in the simulation by the amount of times they need to perform an AccessRequest while working outside the office (let it be in an airport, a train, at client office, in a coworking place or any other situation that implies mobility). This amount of times has been set to 24 over a year, accounting for two AccessRequests to Assets from outside the company premises per month per user.
• A RiskPolicy with a Threat probability threshold value of 0,5, which will discard any Access attempt when the current Threat probability is over that given threshold.
We have then run these simulations for a likelihood of attack ranging from 0% to 100%, in 10% intervals, for 100 consultants, both without opportunities and with opportunities. The detailed results of the simulation are presented in Figure 9.
Figure 9. NoProtection versus. InitialRiskMetric without Opportunities As can be seen in the previous figure and table, our metric performs exactly as the baseline metric (no protection) until we go over a 30% of attack likelihood. This is due to the fact that with small amounts of compromised AccessRequests, not many Threats have their probabilities updated so it is unlikely that the Decision process will deny access to any other request. Up from 40% of attack likelihood, we can see in the other hand that our metric outperforms the baseline metric, as we effectively prevent more AccessRequests associated with a Threat that has high probabilities of turning into a bad outcome to effectively be granted access.
In order to check whether introducing Opportunities makes a difference in how our metric behaves in respect to the baseline metric, we have run simulations for a given attack likelihood ranging from 0% to 100% again for 100 users doing a total of 2400 AccessRequests per year during which they would have 1 hour on average to wait twice a month and then work during they wait if the AccessRequest is granted, else the paid hours would be lost. The results for the simulations can be seen in Figure 10. Again, our metric under performs when compared to the baseline metric up to a 30% of attack likelihood, due to the baseline metric allowing all AccessRequests and thus cashing in all Opportunities, while the compromised Asset amount is not high enough to hinder this benefit. Due to our metric being more protective and restrictive, we miss out some of these Opportunities when the attack likelihood is low, accounting for the slight difference in cost benefit as compared to the baseline metric. Up from 40% attack likelihood, our metric again outperforms the baseline metric, as the compromised Assets in play are more valuable overall than the sum of the missed Opportunities when denying access.
Figure 10. NoProtection versus InitialRiskMetric with Opportunities CONCLUSIONS
5.
Current BYOD and mobile work trends underline that there are some benefits in letting work being done in broader situations than the corporate environment and that if this work is not done there are direct loses. Unfortunately, traditional risk management mainly focus on the negative outcomes where assets could be compromised due to potential threats without taking into account that if the assets could be successful used and no threat would happen, the opportunity to use those assets would bring the benefits of positive outcomes.
It is the reason that in this paper we have introduced a new risk management model, called OPPRIM, where opportunities are also taken into account. Another novelty in OPPRIM is that potential risk treatments, such a manual refinement of their opportunity at hand, may be proposed to users in order to let them accessing what they need, eventually letting them making their final choice knowing that they might be found liable afterwards ending up with a lower trust value since their Threat probability as a user would get higher.
We have provided an OPPRIM open-source simulator for future work improving OPPRIM risk, trust and threat metrics.
ACKNOWLEDGMENTS
This work is supported by the European Commission, under grant 318508, project MUSES, Multiplatform Usable Endpoint Security, FP7-ICT-2011-8, Trustworthy ICT.
REFERENCES
BALAKRISHNAN,V. AND MAJD,E., 2013. A Comparative Analysis of Trust Models for Multi-Agent Systems.
Lecture Notes on Software Engineering, 1(2).
BARACALDO,N. AND JOSHI,J., 2012. A Trust-and-risk Aware RBAC Framework: Tackling Insider Threat.
In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies.
SACMAT ’12. New York, NY, USA: ACM, pp. 167–176.
BLAZE, M.,FEIGENBAUM, J. AND LACY, J., 1996. Decentralized Trust Management. In the 17th IEEE Symposium on Security and Privacy. IEEE Computer Society, pp. 164–173.
CASTELFRANCHI,C. AND FALCONE, R., 2000. Trust is much more than subjective probability: Mental components and sources of trust. In 32nd Hawaii International Conference on System Sciences - Mini-Track on Software Agents. IEEE.
CHICKOWSKI,E., 2013. Why Are We So Slow To Detect Data Breaches? Dark Reading.
CLARKE,J.,GOMEZ HIDALGO,M.,LIOY,A.,PETKOVIC,M.,VISHIK,C. AND WARD,J., 2012. Consumerization of IT: Top Risks and Opportunities, ENISA.
VAN DER SYPE,Y.S.M. AND SEIGNEUR,J.-M., 2014. Case study: Legal Requirements for the Use of Social Login Features for Online Reputation Updates. In the 29th ACM International Symposium of Applied Computing. Gyeongju, South Korea: ACM.
DIMMOCK, N., 2005. Using Trust and Risk for Access Control in Global Computing, University of Cambridge.
DOHERTY,W.J. AND THADHANI,A.J., 1982. The economic value of rapid response time. IBM Report.
ENISA, 2006. Risk Assessment and Risk Management Methods: Information Packages for Small and Medium Sized Enterprises (SMEs), ENISA.
GOVINDAN, K. AND MOHAPATRA, P., 2012. Trust computations and trust dynamics in mobile adhoc networks: a survey. Communications Surveys & Tutorials, IEEE, 14(2), pp.279–298.
GRANDISON,T. AND SLOMAN,M., 2000. A Survey Of Trust In Internet Applications.
HAN,W.,SHEN,C.,YIN,Y.,GU,Y. AND CHEN,C., 2010. A Framework for Quantified Risk and Benefit Adaptive Access Control.
HOWARD,M. AND LIPNER,S., 2003. Inside the windows security push. Security & Privacy, IEEE, 1(1), pp.57–61.
ISO, 2008. 13335-1 Management of information and communications technology security, ISO/IEC.
ISO, 2009. Guide 73 Risk management Vocabulary, ISO.
KEVIN HOFFMAN, D.Z. AND NITA-ROTARU, C., 2007. A Survey of Attack and Defense Techniques for Reputation Systems, Purdue University.
KRISHNA, A. AND VARADHARAJAN, V., 2011. A Hybrid Trust Model for Authorisation Using Trusted Platforms. In Proceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications. TRUSTCOM ’11. Washington, DC, USA: IEEE Computer Society, pp. 288–295.
MARSH, S., 1994. Formalising Trust as a Computational Concept, Department of Mathematics and Computer Science, University of Stirling.
MCKNIGHT,D. AND CHERVANY,N.L., 1996. The Meanings of Trust.
MEDI , A., 2012. Survey of Computer Trust and Reputation Models–The Literature Overview.
International Journal of Information, 2(3).
PONEMON, 2013. 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute.
ROMANO,D.M., 2003. The Nature of Trust: Conceptual and Operational Clarification, Louisiana State University.
SEIGNEUR,J.-M., 2005. Trust, Security and Privacy in Global Computing, Trinity College Dublin.
SHAIKH,R..,ADI,K.,LOGRIPPO,L. AND MANKOVSKI,S., 2011. Risk-based decision method for access control systems. In 2011 Ninth Annual International Conference on Privacy, Security and Trust (PST).
2011 Ninth Annual International Conference on Privacy, Security and Trust (PST). pp. 189–192.
SHOSTACK,A., 2008. Reinvigorate your Threat Modeling Process. MSDN Magazine, July.
TERZIS,S.,ENGLISH,C.,WAGEALLA,W. AND NIXON,P., 2005. Trust Formation Model, WEISER,M. AND BROWN,J.S., 1996. Designing Calm Technology.
WILSON,E.B., 1927. Probable inference, the law of succession, and statistical inference. Journal of the American Statistical Association, 22(158), pp.209–212.
ZHANG, L.,BRODSKY, A. AND JAJODIA, S., 2006. Toward information sharing: Benefit and risk access control (BARAC). In Policies for Distributed Systems and Networks, 2006. Policy 2006. Seventh IEEE International Workshop on. IEEE, p. 9–pp.
