Defining "The Weakest Link" Comparative Security in Complex Systems of Systems

Wolter Pieters

doi:10.1109/CloudCom.2013.101

Defining "The Weakest Link" Comparative Security in Complex Systems of Systems

Wolter Pieters

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

7 Citations (Scopus)

3 Downloads (Pure)

Abstract

Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of "weakest link" often appears. Humans are then typically said to be the "weakest link" when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of "weakest link", in terms of the entity (set of entities) with the highest induced risk.

Original language	Undefined
Title of host publication	2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom
Place of Publication	Piscataway, New Jersey
Publisher	IEEE Computer Society
Pages	39-44
Number of pages	6
ISBN (Print)	978-0-7695-5095-4
DOIs	https://doi.org/10.1109/CloudCom.2013.101
Publication status	Published - 5 Dec 2013
Event	5th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2013 - Bristol, United Kingdom Duration: 2 Dec 2013 → 5 Dec 2013 Conference number: 5 http://cipsijoomla.ux.uis.no/

Publication series

Name
Publisher	IEEE Computer Society

Conference

Conference	5th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2013
Abbreviated title	CloudCom
Country/Territory	United Kingdom
City	Bristol
Period	2/12/13 → 5/12/13
Internet address	http://cipsijoomla.ux.uis.no/

Keywords

SCS-Cybersecurity
Socio-technical security
EWI-24649
induced risk
comparative security
weakest link
METIS-304055
EC Grant Agreement nr.: FP7/318003
security risk assessment
Security Metrics
IR-90427
Attacker utility
EC Grant Agreement nr.: FP7/2007-2013

Access to Document

10.1109/CloudCom.2013.101

http://eprints.eemcs.utwente.nl/secure2/24649/01/wolter.pdf

Cite this

@inproceedings{f00f36bba10c438bac58d1d7a851aa9b,

title = "Defining {"}The Weakest Link{"} Comparative Security in Complex Systems of Systems",

abstract = "Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of {"}weakest link{"} often appears. Humans are then typically said to be the {"}weakest link{"} when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of {"}weakest link{"}, in terms of the entity (set of entities) with the highest induced risk.",

keywords = "SCS-Cybersecurity, Socio-technical security, EWI-24649, induced risk, comparative security, weakest link, METIS-304055, EC Grant Agreement nr.: FP7/318003, security risk assessment, Security Metrics, IR-90427, Attacker utility, EC Grant Agreement nr.: FP7/2007-2013",

author = "Wolter Pieters",

note = "Foreground = 100%;Type of activity = workshop;Main leader = TUD;Type of audience = industry + scientific;Size of audience = 15;Countries addressed = international;; null ; Conference date: 02-12-2013 Through 05-12-2013",

year = "2013",

month = dec,

day = "5",

doi = "10.1109/CloudCom.2013.101",

language = "Undefined",

isbn = "978-0-7695-5095-4",

publisher = "IEEE Computer Society",

pages = "39--44",

booktitle = "2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom",

address = "United States",

url = "http://cipsijoomla.ux.uis.no/",

}

Pieters, W 2013, Defining "The Weakest Link" Comparative Security in Complex Systems of Systems. in 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom. IEEE Computer Society, Piscataway, New Jersey, pp. 39-44, 5th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2013, Bristol, United Kingdom, 2/12/13. https://doi.org/10.1109/CloudCom.2013.101

Defining "The Weakest Link" Comparative Security in Complex Systems of Systems. / Pieters, Wolter.

2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom. Piscataway, New Jersey : IEEE Computer Society, 2013. p. 39-44.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Defining "The Weakest Link" Comparative Security in Complex Systems of Systems

AU - Pieters, Wolter

N1 - Conference code: 5

PY - 2013/12/5

Y1 - 2013/12/5

N2 - Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of "weakest link" often appears. Humans are then typically said to be the "weakest link" when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of "weakest link", in terms of the entity (set of entities) with the highest induced risk.

AB - Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of "weakest link" often appears. Humans are then typically said to be the "weakest link" when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of "weakest link", in terms of the entity (set of entities) with the highest induced risk.

KW - SCS-Cybersecurity

KW - Socio-technical security

KW - EWI-24649

KW - induced risk

KW - comparative security

KW - weakest link

KW - METIS-304055

KW - EC Grant Agreement nr.: FP7/318003

KW - security risk assessment

KW - Security Metrics

KW - IR-90427

KW - Attacker utility

KW - EC Grant Agreement nr.: FP7/2007-2013

U2 - 10.1109/CloudCom.2013.101

DO - 10.1109/CloudCom.2013.101

M3 - Conference contribution

SN - 978-0-7695-5095-4

SP - 39

EP - 44

BT - 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom

PB - IEEE Computer Society

CY - Piscataway, New Jersey

Y2 - 2 December 2013 through 5 December 2013

ER -