Computer/February 2004/r2Security.mcw
IT SYSTEMS PERSPECTIVES
Security Models: Refocusing on the Human Factor Denis Trcek Jozef Stefan Institute Future security models will rely on system dynamics and agent technologies. Many computer security professionals are familiar with Sun Tzu’s legendary The Art of War. Written some 2,500 years ago, this work still resonates today because it underlines what has emerged as a central theme in information systems security research: the critical importance of the human factor. Information systems (IS) security can be roughly divided into three epochs. Prior to the 1970s, the focus was on cryptography and secure operating systems. The proliferation of computer communications and increasingly complex technology in the 1980s shifted the emphasis to cryptographic protocols and formal methods. It was not until the mid-1990s, when e-business was born, that the human factor came to the forefront. This is not to say that the human factor was neglected during the first two epochs. Even at the early days of computer systems security we were taught to pay attention to employees… BS 17799, a core IS security standard developed by the British Standards Institute in 1995 and adopted by the International Organization for Standardization as ISO 17799 in 2000, mentions organizational and human-factor issues almost exclusively. In the past few years, IS security has further evolved to include trust issues and other sociocognitive phenomena. Given these trends, it is likely that IS security management will increasingly rely on qualitative and quantitative models that primarily address the human factor. This presents a challenge, as such models will typically yield computer simulations rather than simple and elegant analytical solutions.
MODELING METHODOLOGIES The most promising methodologies should support modeling of information systems’ core characteristics. The first of these is complexity, where interplay between humans and technology is governed by numerous feedback loops. Further, these systems are mainly non-linear, not to mention their dynamics. In addition, required modeling methodologies should enable multidisciplinary and interdisciplinary research that includes IT, management, psychology, and sociology. They must be intuitive enough for experts from various domains and diverse professional cultures to use them cooperatively. Finally, although qualitative models certainly have scientific merit, support for quantitative modeling from required methodologies is always desirable. [Author: Why?] Measurement has been in the heart of science for centuries and by measuring phenomena, theories can be efficiently proved or abandoned. Nevertheless, about ten years ago qualitative methodologies entered into the scientific domain. They are now well accepted also in various areas of research of information systems. But again – if something can be measured (or made measurable), then we should measure it (or make it measurable).
Computer/February 2004/r2Security.mcw
SYSTEM DYNAMICS Jay W. Forrester, an engineer and professor of management at MIT, founded system dynamics in the early 1960s, and researchers have since applied the discipline’s principles to business cycles, urban planning, environmental research, and other complex social policy areas. The central structures of this methodology are causal feedback loops between variables. A positive link polarity indicates that a driving variable increases the driven variable, and vice versa. [Author: Could you clarify what you mean by “a driving variable increases the driven variable” and “vice versa”] Put another way – a positive link polarity means that if the cause increases, the effect increases too, while a negative polarity means that the increased cause results in decreased effect. Variables can be material, or they can be nonmaterial—for example, information; further, they can be auxiliary constants, stocks, and rates (also called flows). Among the variables, stocks (also called levels) require special attention. They are the source of inertia, and they constitute a kind of primitive memory within the system, an aggregate of past events. Additionally, they serve as absorbers, and decouple inflows from outflows. Causal loop diagrams are intuitive and expressive, providing insight into a system’s structure and functionality, which enables a better understanding of the basic principles of its functioning. The modeling consists of two phases. It starts with a graphical representation of the system. With iterations, a modeler identifies the relevant variables, their nature, and links them as required. During this process feed-back loops, i.e. causal loops diagrams emerge. In addition to being good qualitative models per se, causal loop diagrams serve as a basis for quantitative models when backed by formulae that quantify variables and their relationships. So in this second step, graphical models are further elaborated, where concrete relationships between variables are defined by appropriate equations. These equations often contain translation parameters or scaling factors to tune the model that has to behave in a way that closely reflects the real system. Figure 1 illustrates a causal loop for a generic high-level risk management model. The model consists of four balancing loops, with threats serving as the main risk generator—the higher the threat probability, the higher the risk. A similar relationship holds true for asset value and vulnerability: the higher the risk, the higher the required investment in safeguards to decrease the riskdriving factors. In most cases, risk cannot be completely eliminated, and some residual risk must be considered. Figure 1. Causal loop diagram of risk management. In most cases, risk cannot be completely eliminated and some residual risk must be considered.
Many well-known security organizations, including the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, already incorporate system dynamics (www.cert.org/sse/threatdynamics.html).
AGENT TECHNOLOGIES Agent technologies are rooted in the Santa Fe Institute’s studies on complex systems (www.santafe.edu). Two freely available and well-known, traditional agent environments of this origin are Swarm (www.swarm.org) and Repast (repast.sourceforge.net). These environments are intended to study complex systems by deploying unsophisticated agents that interact locally with their environment. On this basis global patterns emerge and this enable study of various phenomena from a new perspective. Besides these traditional agent environments that require quite a high level of programming skills, a new generation of such environments appeared recently. One representative among them is Zeus (http://sourceforge.net/projects/zeusagent). It is an open source solution, which enables deployment of sophisticated, intelligent agents. This further improves modeling possibilities to more closely reflect real environments. Not to mention that this new generation of agent environments is significantly more user friendly when compared to traditional ones. Quality GUIs now make it possible for users, regardless of their domain of expertise or programming skills, to use agents to model a real environment. Although not intended to play such a role, agents technologies can be seen as complementary to system dynamics: Basic system structures can be translated from the world of system dynamics to the world of agents, and vice versa (www.xjtek.com/files/papers/fromsystemdynamics2004.pdf). In contrast to the top-down approach of system dynamics, which models aggregate-level processes, agent models use a bottom-up approach that focuses on individual-level processes. In the field of security, for example, this gives additional possibilities for fine-grained security policies that are tailored to a particular organization or its departments. Last but not least, agents are not only suitable for modeling humans; technological components can likewise be represented as “dumb” agents.
As IS security refocuses on the human factor, complex models based on system dynamics and agent technologies promise to play an important role in improving and strengthening future information systems security. Using the two methodologies independently can yield unique insights into the soundness of a given approach, though in some cases only agents or system dynamics can be applied.
Computer/February 2004/r2Security.mcw
Einstein pointed out that the best explanation is as simple as possible, but no simpler. Therefore these models are likely to evolve into a set of security reference models, or even a variety of sets of security reference models. This is additionally justified by the fact (stated by Forrester, Deming, and others) that all models are wrong in the sense of truth. The point about models is whether they are useful or not, thus different sets for different security contexts may become a reality. So models that are based on system dynamics and agents technologies promise to play an important role in improving and strengthening the security of future information systems. Denis Trcek is a principal researcher and associate professor at the Jozef Stefan Institute, Slovenia. Contact him at
[email protected]. Editor: Richard G. Mathieu, Dept. of Computer Information Systems and Management Science, College of Business, James Madison Univ., Harrisonburg, VA;
[email protected]
