Model-Driven Information Security Risk Assessment of Socio-Technical Systems

    Research output: ThesisPhD Thesis - Research UT, graduation UT

    485 Downloads (Pure)

    Abstract

    As more aspects of life transition to the digital domain, computer systems become increasingly complex but also more social. But assessing a socio-technical system is no trivial task: it often requires intimate knowledge of the system, awareness of the social dynamics and trust relationships of its users, a deep understanding of both hardware and software, as well as the ability to quantify risks, communicate security policies and engage stakeholders. Conceptual models, as tools designed to help make sense of complex issues, can help with some of these problems.
    This dissertation explores the role of conceptual models in assessing risks related to the development and operation of socio-technical systems. I propose several model-driven modelling and analysis approaches which can be used stand-alone but can also augment existing risk management processes. The approaches are centered on three modelling paradigms not traditionally used in risk management.
    I use Tangible modelling, i.e. “physical” modeling using graspable three-dimensional tokens, to facilitate the collaborative modelling of socio-technical systems. I find it has beneficial effects on the quality of the resulting models when the modellers, especially when some of the modelers have a technical background. I use argumentation modelling, i.e. recording the rationale behind claims can support the security decision-making process, to support the security decision-making process. I find that structuring the risk assessment as a set of arguments forces risk assessors to make their assumptions explicit and that maintaining a mapping between risks and countermeasures increases the defensibility of the resulting security requirements. I use value modelling, i.e. understanding the value transfers which underpin any commercial information system, to quantify risks, identify vulnerabilities to fraud, and rationalize processes. I propose an ontological and procedural extension to automate this process.
    Original languageEnglish
    Awarding Institution
    • University of Twente
    Supervisors/Advisors
    • Wieringa, Roelf J., Supervisor
    Thesis sponsors
    Award date8 Mar 2018
    Place of PublicationEnschede
    Publisher
    Print ISBNs978-90-365-4483-2
    DOIs
    Publication statusPublished - 8 Mar 2018

    Keywords

    • RISK ASSESSMENT
    • Socio-Technical Systems
    • Socio-Technical-Physical Systems · Modelling security and policies
    • Socio-technical security
    • socio-technical system modelling
    • Information Security Risk Management
    • E3value
    • Tangible modelling
    • Argumentation

    Fingerprint Dive into the research topics of 'Model-Driven Information Security Risk Assessment of Socio-Technical Systems'. Together they form a unique fingerprint.

  • Cite this