Research on software security awareness - ACM Digital Library

ACM SIGSOFT Software Engineering Notes

Page 1

September 2010 Volume 35 Number 5

Research on Software Security Awareness: Problems and Prospects C. Banerjee1, S. K. Pandey2 Department of Information Technology, Board of Studies, The Institute of Chartered Accountants of India, Noida- 201301, INDIA E Mail: [email protected], [email protected]

Abstract People attack software deliberately to steal highly sensitive as well as personal information with the sole intention of carrying out well-funded, destructive and unethical goals that could harm individuals, nations or the whole world. Available technological controls could be implemented to tighten access and minimize persistent threats but the complete solution of secure software could only be provided by changing the behavior of the people involved. This can be achieved through effective security awareness techniques implemented by individuals because they are, in most cases, the first target for gaining access into the system. This paper highlights the utility of security awareness with the help of recent published work for building more secure software. In addition, areas that need further investigations are identified in the paper.

deployment and system maintenance phases of SDLC. In one case, the end users modified the source code to evade auditors for five years. In another case, a company’s communication protocol was modified by an ex-employee by injecting malicious codes. Out of 116 cases that were reported 54 cases were of IT sabotage, 44 cases were of fraud and 40 remaining cases were of IP theft. An estimated $691 million loss was reported due to such frauds [2]. Developing software with world class security, equipping the software with technology based defenses, and having a well trained security team is not all that makes the software secure. In real sense, an essence is very much required to make the software secure and that essence is termed as ‘awareness’, which needs to be created among the people who are involved in requirements gathering, designing, coding, testing, implementing and using of the software [3].

Keywords: Software Security, Software Security Awareness, One of medium for creating security awareness among people is Research on Security Awareness, Tools & Techniques of Security through effective awareness and training program with focus on Awareness, etc. future software development practices with a clearly defined objective. Many academic bodies and universities have designed I. Introduction and developed such programs but none of them completely and People who attack software and threaten systems can be outsiders adequately address the software security issues with focus on or insiders. An inside attacker is an authenticated and authorized awareness. Few commercial units have also introduced such user from within the system who attempts to go beyond their awareness programs but they seems to have lost the real objective designated access rights and permissions to do harm to the system. as their offerings lack adequate coverage of processes related to An outside attacker is an unauthenticated and unauthorized user security for incorporation into the software development and from outside the system who attempts to break into the system by practices [4]. Keeping this in mind, we present the research manipulating access rights and permissions to corrupt the system. advances in this area. The rest of the paper is organized as follows: So, potentially, an inside attacked is more dangerous and needs to Section II provides a brief description of security awareness, be addressed by internal measures as he / she has a level of access Section III presents a brief overview on the current research in the to the facilities and the system that an outside attacker does not area, Section IV, focuses on the future research directions, whereas conclusion and future works are reported in Section V. have. Various technologies are available inside and outside the system to safeguard that system against an outside attack but when it comes to an insider attacking and providing threat to the system, a tactical and strategic weapon could be used to countercheck the attacks by providing physiological treatment in the form of ‘awareness’ on various inter-functional and intra-functional aspects. According to a 2010 CyberSecurity Watch Survey conducted by CSO magazine, the U.S. Secret Service, Software Engineering Institute at Carnegie Mellon University and Deloitte’s Center for Security & Privacy Solutions, 51% of participants experienced an insider attack incident in 2009, in spite of implementing most of 15 security policies and procedures aimed at preventing insider’s attack. A number of security breaching incidents go unreported and the public in general may be unaware as on an average 72% of insider incidents are handled internally without legal action or involvement of law enforcement [1].

II. Security Awareness Security awareness can be defined as the knowledge that members of an organization possess regarding protection of the physical and information assets of that organization. It also reflects the attitude and motivation of the members of an organization towards understanding and addressing various security issues. Awareness of security promotes a cultural and behavioral change among the members of an organization. Being security aware means that there is an understanding that some people may intentionally and deliberately or unintentionally and accidentally steal, damage or misuse the data and other resources of an organization [5].

Security awareness can also be defined as the concentrated and focused attention of an employee towards maintaining the confidentiality, integrity and availability of information assets. Security awareness helps and encourages an individual or a group to recognize the various security concerns and how to deal with The insider can exploit the vulnerability and flaws of requirements them when they arise with an appropriate response [6]. The definition, system design, system implementation, system European Network and Information Security Agency states that

DOI: 10.1145/1838687.1838701

http://doi.acm.org/10.1145/1838687.1838701


Page 2


awareness of the risks and available safeguards is the first line of Anja Beyer and Christiane Westendofr suggested that the security defense for the security of information systems and networks [7]. awareness program should be introduced at the school level among the children as they are exposed to the use of computers and III. A Survey of Research in the Area internet for a very early age. They further suggested that primary Significant work and rapid growth in the recent years has been level security awareness program could be developed to educate carried out and reported in the field of awareness with respect to the children at school level by ways of comic and quiz “Safe security issues. A selection of some noteworthy contributions from Chat”, projects, media trip with blogging. They have also provided the researchers from the year 2006 to 2010 covering most of the a general theses and recommendations, which could be seen as closely related journals, conference proceedings, and research / guidelines for future projects [10]. technical reports which are valuable and bears weight are briefly According to a 2010 CyberSecurity Watch Survey conducted by described one by one for analysis on the advances, as follows: CSO magazine, the U.S. Secret Service, Software Engineering Tom Olzak suggested a security awareness program with the Institute CERT® Program at Carnegie Mellon University and intention of developing a fully aware workforce which focuses on Deloitte’s Center for Security & Privacy Solutions, suggested a the realization aspect and active participation of the people system’s penetration testing, educating the employees by drafting involved in the software development and usage process for some awareness program, and regular communication about the maintenance on three fronts viz., confidentiality, integrity and security policies and updates among the employees on a periodical secure availability of the information. The researcher further basis. The suggestions made were advised to be overseen and suggested that the security awareness program should be designed monitored by the management for effective implementation [1]. keeping in mind the major objectives like security aspect and C. Banerjee and S. K. Pandey proposed 21 Security Rules to be dimension, company’s security strategies and policies, various followed in the SDLC. The first rule is ‘Rule of Awareness’ which process involved in secure software development, applicable local shows an active security awareness training program should be / state / federal regulations and security impact on various factors. developed for software development team covering all the critical The researcher also suggested that the security awareness program software security issues which educates the development team to should be backed with post implementation process with revised acquire new information and to update existing knowledge related awareness and training program plan [3]. to various aspects of security on a continuous basis [11]. Allen M. Smith and Nancy Y. Toppel in collaboration with Dawn M. Cappelli et al. suggested four point formula for creating Northrop Grumman Corporation, U.S. proposed security awareness among the software development team. Firstly, the awareness campaign for increasing awareness among their requirements definition team members should be made aware employees on the advanced persistent threats and ways of regarding requirements related authentication & role based access strengthening desired employee behaviors that educates them to control, security requirements, separation of duties, and automated minimize the risks involved. The paper further discussed the data integrity checks. Secondly, the system design team members various techniques used like intranet webs sites, monthly should be educated regarding the security details in automated communication, audio media, management briefing, etc, and the workflow processes, sufficient separation of duties, and security challenges faced during its implementation like lack of vulnerabilities posed by authorized system overrides. Thirdly, the information on attacks and threats, large and widely distributed system implementation team members should be made aware employee base, etc [8]. about thorough code reviews, activities, responsibilities and Kenneth R. van Wyk provided a study of the various commercial associated action of individual & group. Fourthly, the system as well as academically available security awareness programs deployment team members should be educated about the need of with their strength and pitfalls. The study shows that both the document practices & backup procedures enforcement, secured & commercial as well as academically available security awareness separate password files for development and operational systems, programs although have diverted from their actual path of creating restricted access to the systems, and need for configuration control awareness among the people but soon after realizing this they are and well defined business processes. Lastly, the system working towards improving the structure and content of the maintenance team members should be properly informed about the program keeping in mind the target audience as senior decision need for code reviews, efficient practices concerning configuration controls, efficient and effective backup processes, end-users makers, engineering managers and software developers [4]. restrictions to access source code, and countermeasures of known Hennie Kruger et al. presented an email awareness experiment vulnerabilities [2]. which was performed among the staff of South African university. In the experiment, 4 test mail were sent to 1600 (400 per test) Mano Paul suggested that to make secure software, the people randomly selected staff members for recording the behavior of should be made aware, educated and properly informed, the employees when they confront HTML links in emails, attachment process should be hack-resilient, and the choice of appropriate from unknown sources, disclosure of private information and technology. The researcher further suggested that the security in running executable file in emails. The statistics collected during software should be woven from requirements to release. The the test shows fairly high level of lack of awareness among the researcher advocated and necessitated about a new culture employees related to security threats pertaining to responsible reflecting a change in the mindset of those involved in the SDLC. email usage. The data thus collected during the experiment could The researcher suggested that such culture may promote security be used to design and deliver more robust and effective awareness in the SDLC while understanding the risk of software built without security in mind. The researcher said that awareness, education, development techniques [9].

DOI: 10.1145/1838687.1838701

http://doi.acm.org/10.1145/1838687.1838701


Page 3


and certification programs built around security in the SDLC are the organizational culture in creating awareness between remote critically necessary [12]. sites. They further suggested that the awareness needs to be created and balanced in the development team focusing on the John Steven and Ken van Wyk suggested that awareness should be work infrastructure as the communication-based social networks created among the development team, security team and of a particular work item are dynamic throughout the development operational team by educating them through some training process. They further said that the information overload and program. Further, the training program should be designed keeping breakdown in the communication often contributed to the in mind the category of audience. They proposes there levels of generation of a broken integration build [17]. training viz., executive level awareness training with prime focus on difference between software security and conventional network Reid Holmes and Robert J. Walker suggested that the awareness security approaches, particularly the pervasiveness of software should be created among the software developers taking into security issues with establishment of short- and medium-term consideration the relevant inter related code they are working goals related to software security, management-level awareness upon. Hence, they proposed a developer specific awareness system training with focus on making schedule, cost, functionality, and called YooHoo awareness system. Such system is capable of risk trade-offs via a risk-management framework and means to filtering out the information about the changes made or to be made validate the probability and impact of security findings and on the basis of software developer’s own code and interests. After mitigation strategies, development and security group awareness all if the system is properly developed it is the security part, which training with focus on transforming the behavior and environment will be strengthened [18]. by educating the people involved to implement security right from Jacob T. Biehl et al. proposed a new visualization tool called the beginning [13]. FASTDash (Fostering Awareness for Software Teams Dashboard) Anita Sarma et al. proposed a workspace awareness tool Palantír. which enables immediate access to key information for group They conducted two formative experiments using the proposed awareness. They have designed this system for a project team of 3tool which resulted in detecting the conflicts earlier producing a 8 programmers. They further said that FASTDash supports in final product with lesser unsolved indirect conflicts. In the maintaining better awareness during collaborative programming experiment, of the 12 tasks assigned to the software developers, 8 and other problem solving activities [19]. conflicted, with 4 as direct conflict and 4 as indirect conflict. The IV. Future Research Directions conflicts were divided into three categories as conflicts introduced before the beginning of a particular task, conflicts introduced Based on the review of the existing literature given in the earlier during a task, and conflicts introduced after the completion of the section, further research may be undertaken in the following areas: tasks. Through the experiment they showed that the software developers monitor awareness and on detecting the conflict and  Future work may include designing a sound training program covering recent security incidents, regulatory issues, resolve it with a self-coordinated approach [14]. employee’s, management’s, customer’s & investor’s concerns Chun Che Fung et al. suggested a simulation game called with definition of training, target audience identification, CyberCIEGE which is implemented as a pilot to educate and delivery frequency & support from management [3]. aware a group of Thai students about the need of information  Future research may include developing a security awareness security and assurance and to educated the community for a campaign which addresses issues like lack of public responsible participation in the digital world. A comparison was information on attacks, difficulty in explaining desired also drawn in regards to the traditional classroom lecture method employee behavior, preventing over-saturation/overlap of of training. A number of observations were drawn and research information security messages, large, widely distributed questions being framed which may become the basis for future employee base, and decentralized distribution of messages [8]. research in this area [15].  The future research may be done on designing an effective training program for senior decision makers with focus on Rahul Thakurta and Frederik Ahlemann proposed a combination conceptual level, engineering management with focus on of interviews and a survey conducted in two phases to investigate software security practices & software developer with focus the organizational practices in dealing with the risk of on technical side [4]. requirements volatility and the influence of project execution  The future work may include integration of test results strategies with regards to process model selection decisions on the obtained with other system generated data with its extension risk of requirements volatility. They pointed out that the findings to other campuses or organizations for comparative research make the project manager aware about the different aspects of purposes [9]. requirements volatility. They further said that the results show that great deal of concern should be there towards selection of  Few future recommendations may include the work on awareness where the students can spread security awareness execution startegy(s) in a project. They further suggested that the by ways of events, projects, screensavers, posters, quiz, social project stakeholders should be educated and must be made aware networking, etc [10]. about the potential risk associated with volatility. A proactive management strategy at higher maturity level for the development  Future research may be done on the identifying some core area for effective cybercrime remedies like periodic of requirements volatility development framework could be penetration testing of the systems, designing & implementing adopted from nature of management approach and characteristics periodic security education & awareness programmes for the of project angle [16]. employees, and receiving & delivering of regular Daniela Damian et al. showed that the project teams should follow communication from the senior management [1]. standards and processes and must use common tools according to

DOI: 10.1145/1838687.1838701

http://doi.acm.org/10.1145/1838687.1838701

ACM SIGSOFT Software Engineering Notes 













Page 4

The work to address security issues related to an insider with respect to SDLC like periodic enterprise-wise risk assessments, periodic security awareness training, and secure system administration may be taken as future work [2]. Designing awareness, education and certificate programs like (ISC) 2‘s Certified Secure Software Lifecycle Professional (CSSLPCM) certification program with focus on building security in SDLC may be some of the novel work in the concerned area [12]. Future work may include designing software security awareness training keeping in mind coverage of personnel and job roles across the development organization like executive level, management level, and development and security level, consideration of beginning, intermediate and advanced classes for different needs [14]. Further study may be conducted to investigate the role of awareness in promoting self-coordination. Moreover, text


Based on the above research directions, some pinpointed areas are identified which are as following:          

Awareness from Training and Education Awareness from Campaign Awareness from Interview & Questionnaire Awareness from Survey Awareness from Industry / Academia Interaction Awareness from Test and Experiments Awareness from Games and Simulation Awareness from Industry / Academia Tools Awareness from Online Community Awareness from Media and related areas

A diagrammatic view of the identified pinpointed areas of creating awareness among the various Software Engineering teams are shown in Figure I:

Figure I: Techniques of Software Security Awareness based task instead of code based task should be taken into V Conclusion and Future Work consideration to overcome the problem of variances in In today’s information age, the systems are in constant fear of technical aptitude [14]. attack from varied sources and magnitude. The research findings Validating the trend towards adoption of more “proactive” have shown that the biggest threat to a system is through an management strategies at higher maturity levels leading to the insider’s attack rather than an outsider’s attack. The enormity of establishment of a requirements volatility management security concerns increases when an insider’s access colludes with framework on the dimensions “nature of management the skills of an outside attacker to endanger the complete system. approach” and “project characteristics.” may be some of the Hence, some form/s of system should be designed and put into advanced areas for research [16]. practice which could promote a sense of awareness among the Future research goals may be to find a mechanism to filter employees (insider) of an organization regarding security of the notification messages such that they reach only recipients that system and its implementation. The paper tried to present the need to be aware of the notification, thus reducing message exhaustive as well as critical review some concrete research work volume and preventing awareness overload [17]. on various methods of implementing awareness among the Future research may be undertaken to study the various states employees. At the same time, a number of noteworthy research by which the awareness can be created among the different areas are also identified for further investigations in the concerned stakeholders in the SDLC. A ranking of these ways to spread area. The paper will help the researchers who want to pursue their awareness may be done to improve the quality of the same research in security awareness by providing a brief but complete [11]. review on the existing literature along with the current research

DOI: 10.1145/1838687.1838701

http://doi.acm.org/10.1145/1838687.1838701


Page 5

topics. The paper will serve as a base paper for the researchers who will take the research topics through our paper. Future work may include the development of a concrete system for creating and promoting awareness with proper mapping of internal and external roles with SDLC phases and various available methods of creating awareness. Then metrics may also be developed and applied to that mapping for the quantification of the values. This in turn will contribute to increase the precision level of the mapping. This work will surely help the industry in implementing awareness among the employee right from the beginning in the SDLC. References [1]

[2]

2010 Cyber Security Watch Survey: Cybercrime Increasing Faster Than Some Company Defenses, conducted by CSO magazine, the U.S. Secret Service, Software Engineering Institute CERT® Program at Carnegie Mellon University and Deloitte’s Center for Security & Privacy Solutions retrieved on 25/5/2010 from http://www.sei.cmu.edu/ newsitems/cyber_sec_watch_2010_ release.cfm Dawn M. Cappelli, Randall F. Trzeciak, Andrew P. Moore (2006): Insider Threats in the SDLC, A study conducted by CERT, U.S. Secret Service, CSO Magazine, Program, Software Engineering Institute, Carnegie Mellon University, 2006, retrieved on 25/5/2010 from www.cert.org/archive/pdf/sepg500.pdf

[3]

Tom Olzak (2006): Strengthen Security with an Effective Security Awareness Program, 2006, paper retrieved on 26/5/2010 from http://adventuresinsecurity.com/ Papers/Build_a_Security_Awareness_ Program.pdf

[4]

https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/training/256 -BSI.html

[5]

http://en.wikipedia.org/wiki/Security_awareness

[6]

http://it.toolbox.com/blogs/adventuresinsecurity/strengthen-security-wi th-an-effective-security-awareness-program-8707

[7]

http://www.sandisk.com/media/226716/enisa-whitepaper.pdf

[8]

Allen M. Smith, Nancy Y. Toppel, Northrop Grumman Corporation (2009): Case Study: Using Security Awareness to Combat the Advanced Persistent Threat, Proceedings of the 13th Colloquium for Information Systems Security Education University of Alaska, Fairbanks Seattle, WA June 1 - 3, 2009, 2009, pp 64-70.

[9]

Hennie Kruger, Lynette Drevin, Tjaart Steyn (2007): Email Security Awareness — a Practical Assessment of Employee Behaviour, In IFIP International Federation for Information Processing, Volume 237, Fifth World Conference on Information Security Education, eds. Futcher, L., Dodge, R., (Boston: Springer), 2007, pp. 33–40.

[10]

Anja Beyer, Christiane Westendofr (2009): How to Establish Security Awareness in Schools, ISSE 2009 Securing Electronic Business Processes, Information Security Solutions Europe Conference, 2009, pp.177-186.

[11]

C. Banerjee, S. K. Pandey (2009): “Software Security Rules: SDLC Perspective”, International Journal of Computer Science and Information Security, IJCSIS, USA, Vol. 6, No. 1, October 2009, pp. 123-128.

[12]

Mano Paul: Software Security: Being Secure in an Insecure World, The International Information Systems Security Certification Consortium, retrieved on 26/5/2010 from www.softwaremag.com/trk.cfm?uid=65

[13]

John Steven, Ken van Wyk (2006): Essential Factors for Successful Software Security Awareness Training, Security & Privacy Journal Sep-Oct 2006, IEEE, pp 80-83.

[14]

Anita Sarma, André van der Hoek, and David F. Redmiles (2007): A Comprehensive Evaluation of Workspace Awareness in Software Configuration Management Systems IEEE Symposium on Visual Languages and Human-Centric Computing, IEEE, 2007, pp 23-26.

DOI: 10.1145/1838687.1838701


[15]

Chun Che Fung, Varin Khera, Arnold Depickere, Panjai Tantatsanawong and Poonpong Boonbrahm (2008): Raising Information Security Awareness in Digital Ecosystem with Games – a Pilot Study in Thailand, Second IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2008), 2008, pp 375-380.

[16]

Rahul Thakurta, Frederik Ahlemann (2010): Understanding Requirements Volatility in Software Projects – An Empirical Investigation of Volatility Awareness, Management Approaches and their Applicability, Proceedings of the 43rd Hawaii International Conference on System Sciences – 2010, 2010, pp 1-10.

[17]

Daniela Damian, Luis Izquierdo, Janice Singer and Irwin Kwan (2007): Awareness in the Wild: Why Communication Breakdowns Occur, International Conference on Global Software Engineering (ICGSE 2007), 2007, pp 81-90.

[18]

Reid Holmes, Robert J. Walker (2008): Promoting developer-specific awareness, Proceedings of the 2008 international workshop on Cooperative and Human Aspects of Software Engineering, International Conference on Software Engineering, 2008, pp 61-64.

[19]

Jacob T. Biehl, Mary Czerwinski, Greg Smith, George G. Robertson (2007): FASTDash: a visual dashboard for fostering awareness in software teams, Proceedings of the SIGCHI conference on Human factors in Computing Systems, San Jose, California, USA, 2007, pp 1313-1322.

Chitreshh Banerjee is currently working as Faculty (Executive Officer) in the Department of Information Technology, Board of Studies, The Institute of Chartered Accountants of India (Set up by an Act of Parliament) New Delhi. Before joining the present institute, he was associated with Gyan Vihar University, Jaipur as a senior faculty. During this tenure, he was instrumental in development of Management Information System (MIS) of the university. He has an excellent academic background with a very sound academic and research experience. Under the InstituteIndustry linkage programme, he delivers expert lectures on varied themes pertaining to IT. As a prolific writer in the arena of Computer Sciences and Information Technology, he has written a number of books on Multimedia Systems, Information Technology, Software Engineering, and E-banking Security Transactions. He has contributed various research papers in the conferences of international and national repute. His area of interest includes multimedia systems, e-learning, e-banking, and software security. Santosh K. Pandey is presently working as a Faculty (Executive Officer) in the Department of Information Technology, Board of Studies, The Institute of Chartered Accountants of India (Set up by an Act of Parliament) New Delhi. Prior to this, he worked with the Department of Computer Science, Jamia Millia Islamia (A Central University) New Delhi. He has a rich Academic & Research experience. His research interest includes: Software Security, Requirements Engineering, Security Policies and Standards, Software Engineering, Access control and Identity Management, Vulnerability Assessment etc. Currently, he is working in the areas of Software Security and Requirements Engineering. He has published around 29 high quality research papers in various acclaimed International/ National Journals and reputed Conferences/Seminars. He has been nominated in the board of reviewers of various international/ national Journals/Conferences. His one of the research papers was adjudged as the Best Paper in the National Conference on IT- Present Practices and Challenges held at New Delhi during Aug 31- Sep 1, 2007.

http://doi.acm.org/10.1145/1838687.1838701