Defining "The Weakest Link" Comparative Security in Complex Systems of Systems

  • 3 Citations

Abstract

Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of "weakest link" often appears. Humans are then typically said to be the "weakest link" when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of "weakest link", in terms of the entity (set of entities) with the highest induced risk.
Original languageUndefined
Title of host publication2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom
Place of PublicationPiscataway, New Jersey
PublisherIEEE Computer Society
Pages39-44
Number of pages6
ISBN (Print)978-0-7695-5095-4
DOIs
StatePublished - 5 Dec 2013
Event5th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2013 - Bristol, United Kingdom

Publication series

Name
PublisherIEEE Computer Society

Conference

Conference5th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2013
Abbreviated titleCloudCom
CountryUnited Kingdom
CityBristol
Period2/12/135/12/13
Internet address

Fingerprint

Employees
Complex systems
Vulnerability
Socio-technical systems

Keywords

  • SCS-Cybersecurity
  • Socio-technical security
  • EWI-24649
  • induced risk
  • comparative security
  • weakest link
  • METIS-304055
  • EC Grant Agreement nr.: FP7/318003
  • security risk assessment
  • Security Metrics
  • IR-90427
  • Attacker utility
  • EC Grant Agreement nr.: FP7/2007-2013

Cite this

Pieters, W. (2013). Defining "The Weakest Link" Comparative Security in Complex Systems of Systems. In 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom (pp. 39-44). Piscataway, New Jersey: IEEE Computer Society. DOI: 10.1109/CloudCom.2013.101

Pieters, Wolter / Defining "The Weakest Link" Comparative Security in Complex Systems of Systems.

2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom. Piscataway, New Jersey : IEEE Computer Society, 2013. p. 39-44.

Research output: Scientific - peer-reviewConference contribution

@inbook{f00f36bba10c438bac58d1d7a851aa9b,
title = "Defining {"}The Weakest Link{"} Comparative Security in Complex Systems of Systems",
abstract = "Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of {"}weakest link{"} often appears. Humans are then typically said to be the {"}weakest link{"} when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of {"}weakest link{"}, in terms of the entity (set of entities) with the highest induced risk.",
keywords = "SCS-Cybersecurity, Socio-technical security, EWI-24649, induced risk, comparative security, weakest link, METIS-304055, EC Grant Agreement nr.: FP7/318003, security risk assessment, Security Metrics, IR-90427, Attacker utility, EC Grant Agreement nr.: FP7/2007-2013",
author = "Wolter Pieters",
note = "Foreground = 100%;Type of activity = workshop;Main leader = TUD;Type of audience = industry + scientific;Size of audience = 15;Countries addressed = international;",
year = "2013",
month = "12",
doi = "10.1109/CloudCom.2013.101",
isbn = "978-0-7695-5095-4",
publisher = "IEEE Computer Society",
pages = "39--44",
booktitle = "2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom",
address = "United States",

}

Pieters, W 2013, Defining "The Weakest Link" Comparative Security in Complex Systems of Systems. in 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom. IEEE Computer Society, Piscataway, New Jersey, pp. 39-44, 5th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2013, Bristol, United Kingdom, 2-5 December. DOI: 10.1109/CloudCom.2013.101

Defining "The Weakest Link" Comparative Security in Complex Systems of Systems. / Pieters, Wolter.

2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom. Piscataway, New Jersey : IEEE Computer Society, 2013. p. 39-44.

Research output: Scientific - peer-reviewConference contribution

TY - CHAP

T1 - Defining "The Weakest Link" Comparative Security in Complex Systems of Systems

AU - Pieters,Wolter

N1 - Foreground = 100%;Type of activity = workshop;Main leader = TUD;Type of audience = industry + scientific;Size of audience = 15;Countries addressed = international;

PY - 2013/12/5

Y1 - 2013/12/5

N2 - Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of "weakest link" often appears. Humans are then typically said to be the "weakest link" when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of "weakest link", in terms of the entity (set of entities) with the highest induced risk.

AB - Cloud architectures are complex socio-technical systems of systems, consisting not only of technological components and their connections, but also of physical premises and employees. When analysing security of such systems and considering countermeasures, the notion of "weakest link" often appears. Humans are then typically said to be the "weakest link" when it comes to security, but no proof is provided for this statement. One reason for this is the fact that there are no unified metrics of security that would apply to physical, digital and social components of complex systems alike. How does one compare the security of a room against the security of a piece of data, and how does social engineering an employee compare to exploiting a server vulnerability? Are we really comparing apples and oranges here, or would it be possible to present a comparative metric that would apply across the different domains? This paper explores the possibility of such a metric for complex systems, and proposes one in terms of the risk induced by an entity in the system. This also provides a foundation for the notion of "weakest link", in terms of the entity (set of entities) with the highest induced risk.

KW - SCS-Cybersecurity

KW - Socio-technical security

KW - EWI-24649

KW - induced risk

KW - comparative security

KW - weakest link

KW - METIS-304055

KW - EC Grant Agreement nr.: FP7/318003

KW - security risk assessment

KW - Security Metrics

KW - IR-90427

KW - Attacker utility

KW - EC Grant Agreement nr.: FP7/2007-2013

U2 - 10.1109/CloudCom.2013.101

DO - 10.1109/CloudCom.2013.101

M3 - Conference contribution

SN - 978-0-7695-5095-4

SP - 39

EP - 44

BT - 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom

PB - IEEE Computer Society

ER -

Pieters W. Defining "The Weakest Link" Comparative Security in Complex Systems of Systems. In 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom. Piscataway, New Jersey: IEEE Computer Society. 2013. p. 39-44. Available from, DOI: 10.1109/CloudCom.2013.101