Model-Driven Information Security Risk Assessment of Socio-Technical Systems

Dan Ionita

    Research output: ThesisPhD Thesis - Research UT, graduation UT

    877 Downloads (Pure)


    As more aspects of life transition to the digital domain, computer systems become increasingly complex but also more social. But assessing a socio-technical system is no trivial task: it often requires intimate knowledge of the system, awareness of the social dynamics and trust relationships of its users, a deep understanding of both hardware and software, as well as the ability to quantify risks, communicate security policies and engage stakeholders. Conceptual models, as tools designed to help make sense of complex issues, can help with some of these problems.
    This dissertation explores the role of conceptual models in assessing risks related to the development and operation of socio-technical systems. I propose several model-driven modelling and analysis approaches which can be used stand-alone but can also augment existing risk management processes. The approaches are centered on three modelling paradigms not traditionally used in risk management.
    I use Tangible modelling, i.e. “physical” modeling using graspable three-dimensional tokens, to facilitate the collaborative modelling of socio-technical systems. I find it has beneficial effects on the quality of the resulting models when the modellers, especially when some of the modelers have a technical background. I use argumentation modelling, i.e. recording the rationale behind claims can support the security decision-making process, to support the security decision-making process. I find that structuring the risk assessment as a set of arguments forces risk assessors to make their assumptions explicit and that maintaining a mapping between risks and countermeasures increases the defensibility of the resulting security requirements. I use value modelling, i.e. understanding the value transfers which underpin any commercial information system, to quantify risks, identify vulnerabilities to fraud, and rationalize processes. I propose an ontological and procedural extension to automate this process.
    Original languageEnglish
    QualificationDoctor of Philosophy
    Awarding Institution
    • University of Twente
    • Wieringa, R.J., Supervisor
    Thesis sponsors
    Award date8 Mar 2018
    Place of PublicationEnschede
    Print ISBNs978-90-365-4483-2
    Publication statusPublished - 8 Mar 2018


    • Risk assessment
    • Socio-technical systems
    • Socio-technical-physical systems
    • Socio-technical security
    • Socio-technical system modelling
    • Information security risk management
    • E3value
    • Tangible modelling
    • Argumentation
    • Modelling security and policies


    Dive into the research topics of 'Model-Driven Information Security Risk Assessment of Socio-Technical Systems'. Together they form a unique fingerprint.
    • Towards security requirements: Iconicity as a feature of an informal modeling language

      Vasenev, A., Ionita, D., Zoppi, T., Ceccarelli, A. & Wieringa, R. J., 2017, CEUR Workshop Proceedings. RWTH Aachen: CEUR, Vol. 1796. p. 1-15 15 p. (CEUR Workshop Proceedings; vol. 1796).

      Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    • ArgueSecure: Out-of-the-box Risk Assessment

      Ionita, D., Kegel, R., Baltuta, A. & Wieringa, R., Sept 2016, Proceedings of the 2015 IEEE 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE). Piscataway, NJ: IEEE, p. 74-79 6 p.

      Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

      1 Downloads (Pure)
    • A study on tangible participative enterprise modelling

      Ionita, D., Kaidalova, J., Vasenev, A. & Wieringa, R., 17 Nov 2016, Advances in Conceptual Modeling: ER 2016 Workshops, AHA, MoBiD, MORE-BI, MReBA, QMMQ, SCME, and WM2SP, Gifu, Japan, November 14–17, 2016, Proceedings. Link, S. & Trujillo, J. C. (eds.). Cham: Springer, p. 139-148 10 p. (Lecture Notes in Computer Science; vol. 9975).

      Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

      Open Access
      1 Citation (Scopus)
      164 Downloads (Pure)

    Cite this