Developer-Centred Security Call

Following the Developer-Centred Security Workshop in November, The National Cyber Security Centre (NCSC) is inviting proposals from academic researchers for research into the topic of Developer-Centred Security. Further information can be found here.

RISCS Hub RISCS Sponsors the 2016 International Symposium on Engineering Secure Software and Systems, ESSoS16

The Research Institute in Science of Cyber Security (RISCS) is pleased to annouce that it will be sponsoring the 2016 International Symposium on Engineering Secure Software and Systems, ESSoS16.

The goal of this symposium, which will be the eighth in the series, is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program. In addition to academic papers, the symposium encourages submission of high-quality, informative industrial experience papers about successes and failures in security software engineering and the lessons learned. Furthermore, the symposium also accepts short idea papers that crisply describe a promising direction, approach, or insight.

Further details are available at https://distrinet.cs.kuleuven.be/events/essos/2016/ .

RISCS Hub White Paper Published Jointly by RISCS, Hewlett Packard Enterprise and CESG

Awareness is Only the First Step Thumbnail

The business white paper “Awareness is only the first step: A framework for progressive engagement of staff in cyber security” is the product of collaboration between RISCS researchers and security awareness experts at Hewlett Packard Enterprise (HPE), with oversight by the UK government’s National Technical Authority for Information Assurance (CESG).

Security communication, education, and training (CET) is meant to align employee behavior with the security goals of the organization, but it is not always designed in a way that can achieve this. The purpose of this paper is to set out a framework for security awareness that employees will actually engage with, and empower them to become the strongest link—rather than a vulnerability—in defending the organization.

A set of steps, required to deliver effective security CET as a natural part of an organization’s engagement with employees at all levels, is outlined. Depending on different needs, many vehicles are available from security games, quizzes, and brainteasers—and possibly prizes—to encourage employees to test their knowledge and explore in a playful manner. The most important output is that different approaches are needed for routine security tasks, and those tasks require application of existing security skills to new situations. There are many creative ways to improve security behaviors and culture, but it is essential to engage people in the right way. Then they can convert learning into tangible action and new behavior. Security CET needs to be properly resourced and regularly reviewed and updated to achieve lasting behavior change.

The report can be downloaded here.

RISCS Hub Inaugural Issue of the Journal of Cybersecurity Published

The inaugural issue of the Journal of Cybersecurity will be published online today, December 11th.   The Journal was created by RISCS members, in collaboration with colleagues in the UK and abroad, as a high-quality venue for publishing research into science of cyber security. The Journal welcomes submission of evidence-based research from all disciplinary backgrounds, and in particular multi-disciplinary research.

Optimising Time Allocation for Network DefenseT Caulfield and A Fielder

Abstract

The presence of unpatched, exploitable vulnerabilities in software is a prerequisite for many forms of cyberattack. Because of the almost inevitable discovery of a vulnerability and creation of an exploit for all types of software, multiple layers of security are usually used to protect vital systems from compromise. Accordingly, attackers seeking to access protected systems must circumvent all of these layers. Resource- and budget-constrained defenders must choose when to execute actions such as patching, monitoring and cleaning infected systems in order to best protect their networks. Similarly, attackers must also decide when to attempt to penetrate a system and which exploit to use when doing so. We present an approach to modelling computer networks and vulnerabilities that can be used to find the optimal allocation of time to different system defence tasks. The vulnerabilities, state of the system and actions by the attacker and defender are used to build partially observable stochastic games. These games capture the uncertainty about the current state of the system and the uncertainty about the future. The solution to these games is a policy, which indicates the optimal actions to take for a given belief about the current state of the system. We demonstrate this approach using several different network configurations and types of player. We consider a trade-off for the system administrator, where they must allocate their time to performing either security-related tasks or performing other required non-security tasks. The results presented highlight that, with the requirement for other tasks to be performed, following the optimal policy means spending time on only the most essential security-related tasks, while the majority of time is spent on non-security tasks.

Date: November 5, 2015
Published: Journal of Cybersecurity, 2015.
Publisher: Oxford University Press
Publisher URL: http://cybersecurity.oxfordjournals.org/content/early/2015/11/05/cybsec.tyv002
Full Text: http://cybersecurity.oxfordjournals.org/content/early/2015/11/05/cybsec.tyv002.full-text.pdf
DOI: http://dx.doi.org/10.1093/cybsec/tyv002
Open Access: http://cybersecurity.oxfordjournals.org/content/early/2015/11/05/cybsec.tyv002.full-text.pdf

An Inclusive, Value-Sensitive Design Perspective on Future Identity TechnologiesBriggs, P. and Thomas, L.

Abstract

Identity technologies constitute one of the fastest growing areas for research and development, driven by both commercial and administrative imperatives. Crucially, they constitute the means by which we include or exclude individuals and groups in terms of access to goods, services or information — yet few developments in this space embrace an inclusive or value sensitive design philosophy. We describe a rigorous exercise in which we source scenarios that capture new research in the identity space and use these as probes in an inclusive design process. Workshops were held with six marginalized community groups: young people, older adults, refugees, black minority ethnic (BME) women, people with disabilities, and mental health service users. Our findings echo Herzberg’s two-factor theory in which we are able to identify a set of relatively common values around sources of potential dissatisfaction (hygiene factors) as well as a set of motivators that are differentially valued across communities.

Date: October, 2015
Published: ACM Transactions on Computer-Human Interaction (TOCHI), Volume 22 Issue 5, October 2015.
Publisher: ACM
Publisher URL: https://dl.acm.org/citation.cfm?doid=2814459.2778972
Full Text: https://dl.acm.org/ft_gateway.cfm?id=2778972
DOI: http://dx.doi.org/10.1145/2778972
Open Access: http://nrl.northumbria.ac.uk/23871/

Improving Security Policy Decisions with ModelsTristan Caulfield and David Pym

Abstract

A rigorous methodology, grounded in mathematical systems modeling and the economics of decision making, can help security managers explore the operational consequences of their design choices and make better decisions.

Date: October 28, 2015
Published: IEEE Security & Privacy, Volume 13, Issue 5, 2015, Special Issue, SPSI: Economics of Cybersecurity, pp 34 – 41.
Publisher: IEEE
Full Text: http://dx.doi.org/10.1109/MSP.2015.97