information security has been more important to the success and stability of ... often cites technical, formal and informal controls to explain different kinds of.
Modeling and Simulating Information Security Management Jose M. Sarriegi1 , Javier Santos1 , Jose M. Torres 1 , David Imizcoz2 , Elyoenai Egozcue2 , Daniel Liberal2 1
Tecnun (University of Navarra) 2 s21sec Abstract. Security Management is a complex task. It requires several interconnected activities: designing, implementing and maintaining a robust technical infrastructure, developing suitable formal procedures and building a widespread, agreed upon security culture. Thus, security managers have to balance and integrate all these activities simultaneously, which involves short and long-term effects and risks. For this reason, security managers need to correctly understand, achieve and maintain a dynamic equilibrium between all of them. The development of a simulation model can be an efficient approach towards this objective, as it involves making explicit key factors in security management and their interconnections to efficiently reduce organizational security risks. This endogenous perspective of the problem can help managers to design and implement more effective policies. This paper presents a methodology for developing simulation models for information security management. The use of this methodology is illustrated through examples. Keywords: Security Management, Modeling, Simulation, System Dynamics
1. Introduction Although there has not been a time in the history of computing that information security has been more important to the success and stability of businesses than now, security management’s prominence has been slightly decreasing in the research community [1]. But technology by itself cannot guarantee a firm’s information security [2], [3]. Both researchers and practitioners need a deeper understanding of the root causes of the behavior of the security related variables. These variables are multiply interconnected and constitute a complex system. Sometimes, as it happens in other complex systems, even well-intentioned decisions could have futile or even counterproductive consequences. Therefore, modeling security management could offer valuable insights for its improvement. System Dynamics (SD) [4], [5] is a modeling methodology that focuses on analyzing the underlying structure that generates the behavior of complex systems. This way, model structure can be compared directly to descriptive knowledge of the real system structure. It has been successfully used in the research of several managerial problems [6] and has already brought promising results in the analysis of security related problems [7], [8].
2 Jose M. Sarriegi1, Javier Santos1, Jose M. Torres1, David Imizcoz2 , Egozcue2, Daniel Liberal2
Elyoenai
There are two reasons why SD is especially suitable for the analysis of security management: • In addition to its structural complexity due to the multiple relations between variables, security management also involves dynamic complexity because of the presence of significant delays. This means that security management combines variables that evolve rapidly, like new viruses or software upgrades, with others that need longer times to change, like organizational culture or individual attitudes towards security. SD has the necessary elements to deal with this kind of dynamic complexity. • Security management contains variables that cannot be directly measured, such as “managers’ commitment”, and variables with scarce data, like “effectiveness of implemented technical security controls”. This means that the purpose of simulation models cannot be precise forecasting; instead the modeling process should focus on learning through the achievement of a consensus between rational opinions. Since its creation, the purpose of SD has been to give people a more effective understanding of important systems that have previously exhibited puzzling or controversial behavior [9]. Thus, it's a good fit with the characteristics of the security management problem. The purpose of this paper is to present a methodology for building security management simulation models using SD. This iterative methodology involves four stages (see figure 1):
1: (Dis)Aggregation
2: Calibration 1
3: Integration
4: Simulation
Modeling and Simulating Information Security Management
3
Fig. 1: Stages of the modeling methodology
2. Stage 1: (Dis)Aggregation Security controls can be divided into different categories. Security literature often cites technical, formal and informal controls to explain different kinds of security countermeasures [10], [11], [12], [1]. Some other authors propose analogous classifications using different names, defining security as technology, processes and people [3]. According to this classification, technical controls include any tool (hardware or software) used for protecting the system from undesired or malicious uses. Currently, there is a great variety of these kinds of security elements [13], such as firewalls, anti-virus tools, physical and logical access controls and intrusion detection and prevention systems. Formal controls are the group of policies and procedures developed and implemented to make suitable use of the technical elements of security. It would be useless to have the appropriate technical elements if they are not used correctly. However, experience shows that simply having the appropriate resources and well-defined procedures to manage them is not enough to make these resources work satisfactorily. There is another factor which is as important as the previous ones: informal controls, which can also be known as human factors, security culture or people’s attitude. Information system users can always find ways to dodge security mechanisms, especially if they can personally benefit from this action. A simple benefit could be making their work easier. This also leads to people misperceiving risks [14]. In fact, many security incidents have been caused by human error. As a consequence, the necessity of developing a security culture has been recognized by almost all security experts, for example, the Organization for Economic Co-operation and Development (OECD) [15]. The first decision while modelling security management is related to its decomposition level, granularity or level of detail. This means making a decision about how many subsystems the model will be divided into. This decision should be made during this first stage of the methodology. A small number of subsystems would make the model easier to calibrate but it would also make it too generic to be useful. For example, thinking of all technical controls as a single level would imply that the model has a too high aggregated level. Nevertheless, dividing controls into many different categories would imply greater difficulties in calibrating the model; however, it could offer a more detailed analysis of the problem. The practical criterion consists of beginning
4 Jose M. Sarriegi1, Javier Santos1, Jose M. Torres1, David Imizcoz2 , Egozcue2, Daniel Liberal2
Elyoenai
with a highly aggregated model and decompos ing it only if necessary. Reasons for decomposition could be, for example, the existence of different dynamics, such as significantly different Mean Life Time values for controls included in the same category. Some possible decomposition strategies can be seen in table 1. Low disaggregation
Medium disaggregation
Technical controls
Controls against external attacks Controls against internal attacks
Formal controls
Formalization of security procedures
Informal controls
Security culture Top management commitment
High disaggregation Controls against external attacks Controls against internal attacks Protection of mobile devices Protection against malicious code Protection against involuntary misuse Risk analysis Formalization of security procedures Implemented security metrics Training Security culture Top management commitment
Tab. 1: Disaggregation strategies
3. Stage 2: Calibration The simulation models' building process using SD includes different kinds of variables, mainly: stock, flows and auxiliary variables. A stock represents an accumulation. This accumulation can be increased through an inflow rate and diminished through an outflow rate. For instance “Trees” (stock) increase due to the “Planting Rate” (inflow) and diminish because of “Cutting Down Rate” (outflow), as can be seen in figure 2.
Trees Planting Rate
Cuttting Down Rate
Fig. 2: Example of stock and flows
Notice that rates should be measured for a previously established period of time (daily, weekly or monthly rates, for example). Notice also that stocks need an initial value. Auxiliary variables are used as intermediate variables to calculate flows at every time step.
Modeling and Simulating Information Security Management
5
Applying this approach to security management, we can build the structure of a security management subsystem. We should divide the model into several subsystems, one for each control type defined in the previous stage. Hence, we could divide the system into three subsystems: Technical, Formal and Informal. Each of these subsystems is analogous to the one shown in figure 3. Security Controls Mean Life Time (SCMLT)
Security Controls Mean Implementation Time (SCMIT)
Security Implemented Controls In Security Progress Controls Obsolescence Implementation Acquisition (SCIP) (ISC) (O) (I) (A)
Current Unit Price (CUP) Investment In Security Controls (IISC) Price Table (PT) Security Controls Gap (SCG)
Security Controls Minimum Value (SCMV)
Desired Security Controls (DSC)
Investment Table (IT)
Fig. 3: Structure of a security management subsystem
The equations underlying this structure are the following: ∂ISC / ∂t = I – O The model considers that Implemented Security Controls (ISC) accumulate into a stock. ISC are measured through an index between 0 and 1, where 0 would mean the total absence of security, while 1 would mean perfect security, an unattainable value using finite resources. This stock increases due to new Implementations (I), but also decreases because of Obsolescence (O). For this purpose, the model needs to establish a value for the Security Controls Mean Life Time (SCMLT) and also for Security Controls Minimum Value (SCMV). This value would represent the lowest value of the control type corresponding to this subsystem if no efforts
6 Jose M. Sarriegi1, Javier Santos1, Jose M. Torres1, David Imizcoz2 , Egozcue2, Daniel Liberal2
Elyoenai
were made to maintain or increase it. This value can be low, such as 0,15, or even 0. O = (ISC-SCMV) / SCMLT I = SCIP / SCMIT SCMIT = Constant SCMLT = Constant There is another stock for controls that are in the implementation phase: Security Controls In Progress (SCIP). The acquired controls stay in this stock for the Security Controls Mean Implementation Time (SCMIT), a parameter that should be established for each control type. The Acquisition (A) rate depends on current Investment In Security Controls (IISC) and its Current Unit Price (CUP). To obtain the CUP, a non-linear relation is needed because this price varies depending on the current ISC level. ∂SCIP / ∂t = A - I A = IISC / CUP CUP = PT (ISC) The Price Table (PT) should be calibrated for each control type and should be similar to the one shown in figure 4. This table represents the fact that improving high security is more expensive than improving poor security. Notice that there usually is not hard data to build this table and as a consequence it should be estimated based on experts’ knowledge. But discussing this table and building consensus around it brings valuable knowledge. 8000 7000
Current Unit Price (€)
6000 5000 4000 3000 2000 1000 0 0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
Current Implemented Security Control
Fig. 4: CUP depending on current ISC
0,8
0,9
1
Modeling and Simulating Information Security Management
7
Desired Security Controls (DSC) is the only input to the subsystem. It represents the objective of this control type. DSC depends on the information system’s criticality and exposure level and could vary over time. The difference between the current ISC and DSC generates the Security Controls Gap (SCG). Based on this gap, the system administrator makes the decision about the investment for the next period, the only decision that needs to be made in order to run the model.
4. Stage 3: Integration Subsequent to building and setting appropriate values for each subsystem, they should be integrated (see figure 5). This view shows the current security situation of the system, Security Effectiveness, and the requirements of the system, Overall Desired Security. Based on this gap, different decisions or strategies can be applied and studied. Technical Implemented Security Controls (TISC)
Technical Effect Table (TET)
Formal Implemented Security Controls (FISC) Formal Effect Table (FET)
Informal Implemented Security Controls (IISC)
Informal Effect Table (IET)
Security Effectiveness (SE)
Overal Desired Security
Technical Desired Security Controls (TDSC)
Formal Desired Security Controls (FDSC)
Priority on TDSC
Priority on FDSC
Informal Desired Security Controls (DSC)
Priority on IDSC
Fig. 5: Combined overall security
The current value and effect of each Implemented Security Control stock dictate the Security Effectiveness. Each control type affects the Security Effectiveness in a different way. Figure 6 shows an FET table. This table represents how Security Effectiveness can be reduced to 0.2 if the current FISC is 0. Hence, this table shows the impact of a control type on overall security. These tables are used for integrating the previously defined subsystems. The shape of these tables (one for each control type) should be discussed by the modelling team, which generates new opportunities for discussion, consensus and learning.
8 Jose M. Sarriegi1, Javier Santos1, Jose M. Torres1, David Imizcoz2 , Egozcue2, Daniel Liberal2
Elyoenai
1 0,9
Security Effectiveness
0,8 0,7 0,6 0,5 0,4 0,3 0,2 0,1 0 0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
FISC Value
Fig. 6: FET table, effect of FISC over Security Effectiveness
Thus, Security Effectiveness results from the combination of the current values of the different security controls. If we have identified three control types (technical, formal and informal) the equation would be: SE = TET (TISC) * FET (FISC) * IET (IISC) Overall Desired Security determines the value of each subsystem’s goal. Different priorities can be established for each control type to represent the possible strategies, for example, a strategy mainly focused on technical controls.
5. Stage 4: Simulation Once we have built a calibrated and integrated model, simulations can be run using any commercial SD software, such as Vensim, Ithink or Powersim, or even using spreadsheets. These simulations allow the model’s behavior to be observed. Connecting the observed behavior to its underlying structure allows for a deeper understanding of the system and thus suitable policy recommendations can be made. The model is deterministic, that is, the generated behavior depends only on the model structure. The randomness of some variables of the real system adds more complexity to security management and could also be included within the model. However, randomness can be avoided in the first iterations of the modeling process and could be added afterwards. But even in the absence of these random variables, no expert could precisely forecast the
Modeling and Simulating Information Security Management
9
different behaviors generated by the model. This proves that the model can help experts gain a better understanding of the system they have to manage. Figure 7 shows the results obtained after running a simulation where Overall Desired Security suddenly rises in the tenth month. Depending on the prevalence of each kind of control, the system evolves towards a higher security effectiveness situation.
Fig. 7: Analyzing a simulation
Simulations also can be used to compare results obtained from the implementation of different policies. Figure 8 shows the results obtained from two simulations. It can be seen that scenario01 needs more resources in order to obtain better results than scenario02.
10 Jose M. Sarriegi1, Javier Santos1, Jose M. Torres1, David Imizcoz2 , Egozcue2, Daniel Liberal2
Elyoenai
Fig. 8: Comparing two simulations
6. Iteration The model should be improved until it has the suitable disaggregation level, and it is accurately calibrated and integrated. For this purpose multiple simulations should be run. The model becomes valid when it generates enough confidence to be taken into account in decision making processes. During this iterative modeling process, participants learn to relate behavior, which is usually easier to perceive, to the structure that generates it. After the modeling process, participants not only are able to explain the behavior of each particular variable involved in security management, but also why they behave as they do.
7. Conclusions It is not unusual to find security researchers and practitioners discussing the most effective security strategy. Despite the huge amount of research already done this discussion still continues. The modeling process becomes an opportunity to facilitate consensus and create knowledge, as it requires making every assumption explicit. This way, discussion becomes much more productive.
Modeling and Simulating Information Security Management
11
This methodology has been validated through its use in a modeling project involving a group of modeling experts, security consultants and security administrators. During the modeling process, participants have had to identify the most suitable subsystems and to calibrate parameters of the model and tables for the non-linear relations between variables. This intellectual exercise has provided them meaningful insight into security management. Managers involved in this modeling process admitted having acquired new knowledge about the problem thanks to the modeling process. The modeling process also sheds light on the dominant variables within a security management problem in every case. Once these dominant variables have been identified, suitable indicators should be implemented to measure their evolution [16]. These indicators would also be useful to permanently validate the assumptions made within the model. This way, when the real and the simulated behavior differ, upgrades or corrections to the model should be made. The goal of this modeling methodology is not to obtain a predictive tool, but to improve decision making through the development of a deep, shared and dynamic perspective about security management. Building a predictive model is not possible due to the absence of hard data, but security managers have to make decisions even in the absence of data. Currently they tend to use their mental models to do so, but using the described methodology to build a simulation model can help them improve their decision making processes.
6. References [1] R. A Botha, T. G. Gaadwinge, “Reflecting on 20 SEC conferences”, Computers & Security 25, Elsevier, 2006, pp. 247-256. [2] B. Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C. John Wiley & Sons, Inc., New York, 1994. [3] B. Schneier, B. Beyond Fear. Copernicus Book. New York, 2003. [4] J. Forrester, Industrial Dynamics, MIT Press, Cambridge, 1961. [5] J. Sterman, Business Dynamics, McGraw Hill, New York, 2000. [6] E. B. Roberts (Editor), Managerial applications of system dynamic, Productivity Press, Cambridge,1978 [7] D. Andersen, D. Cappelli, J. J. Gonzalez, M. Mojtahedzadeh, A. Moore, E. Rich, J. M. Sarriegi, T. Shimeall., J. Stanton, E. Weaver, A. Zagonel, “Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem”, Proceedings of the 22nd International Conference of the System Dynamics Society. Oxford (UK), 2004. [8] C. Melara, J. M. Sarriegi, J. J. Gonzalez, A. Sawicka, D.L. Cooke, "A System Dynamics Model of an Insider Attack on an Information System”, in From Modeling to Managing Security: A System Dynamics Approach, (ed) J. J. Gonzalez, Norwegian Academic Press, Kristiansand (Norway), 2003. [9] J. Forrester, P. Senge, “Tests for building confidence in system dynamics models”, in A. Legasto, J. Forrester and J. Lyneis (eds), TIMS Studies in the Management Sciences, 14, North Holland, New York, 1980.
12 Jose M. Sarriegi1, Javier Santos1, Jose M. Torres1, David Imizcoz2 , Egozcue2, Daniel Liberal2
Elyoenai
[10] G. Dhillon, “Managing and Controlling Computer Misuse”, Information Management & Computer Security. 7/4, pp. 171-175, 1999. [11] G. Dhillon, S. Moores, “Computer crimes: Theorizing About the Enemy Within”, Computers & Security 20 (8), Elsevier, pp. 715-723, 2001. [12] J. M. Torres, J. M Sarriegi “Dynamics Aspects of Security Management of Information Systems”, Proceedings of the 22nd International Conference of the System Dynamics Society, Oxford (UK), 2004. [13] H. S. Venter, J. H. P. Eloff. “A taxonomy for information security technologies”, Computers & Security 22, Elsevier, pp. 299-307, 2003. [14] J. J. Gonzalez, A. Sawicka, “The role of learning and risk perception in compliance”, Proceedings of the 21st International Conference of the System Dynamics Society, New York, 2003. [15] OECD, Guidelines for the Security of Information Systems and Networks. Towards a culture of security, 2002. [16] J. M. Torres, J. M. Sarriegi, J. Santos, N.Serrano, “Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness”, Lecture Notes in Computer Science 4176, Springer-Verlag, pp. 530-545, 2006.
