Modelling Socio-Technical Aspects of Organisational Security

Marieta G. Ivanova

Research output: ThesisPhD Thesis - Research external, graduation externalAcademic

23 Downloads (Pure)

Abstract

Identification of threats to organisations and risk assessment often take into consideration the pure technical aspects, overlooking the vulnerabilities originating from attacks on a social level, for example social engineering, and abstracting away the physical infrastructure. However, attacks on organisations are far from being purely technical. After all, organisations consist of employees. Often the human factor appears to be the weakest point in the security of organisations. It may be easier to break through a system using a social engineering attack rather than a pure technological one. The StuxNet attack is only one of the many examples showing that vulnerabilities of organisations are increasingly exploited on different levels including the human factor. There is an urgent need for integration between the technical and social aspects of systems in assessing their security. Such an integration would close this gap, however, it would also result in complicating the formal treatment and automatic identification of attacks. This dissertation shows that applying a system modelling approach to sociotechnical systems can be used for identifying attacks on organisations, which exploit various levels of the vulnerabilities of the systems. In support of this claim we present a modelling framework, which combines many features. Based on a graph, the framework presents the physical infrastructure of an organisation, where actors and data are modelled as nodes in this graph. Based on the semantics of the underlying process calculus, we develop a formal analytical approach that generates attack trees from the model. The overall goal of the framework is to predict, prioritise and minimise the vulnerabilities in organisations by prohibiting the overall attack or at least increasing the difficulty and cost of fulfilling it. We validate our approach using scenarios from IPTV and Cloud Infrastructure case studies.
Original languageEnglish
Awarding Institution
  • Technical University of Denmark
Supervisors/Advisors
  • Probst, Christian W., Supervisor
Thesis sponsors
Award date1 Jan 2016
Place of PublicationCopenhagen
Publisher
Publication statusPublished - 2016

Fingerprint

Human engineering
Social aspects
IPTV
Risk assessment
Semantics
Personnel
Costs

Keywords

  • IR-101820
  • METIS-318570
  • EC Grant Agreement nr.: FP7/318003
  • EC Grant Agreement nr.: FP7/2007-2013
  • EWI-27346

Cite this

Ivanova, M. G. (2016). Modelling Socio-Technical Aspects of Organisational Security. Copenhagen: Technical University of Denmark.
Ivanova, Marieta G.. / Modelling Socio-Technical Aspects of Organisational Security. Copenhagen : Technical University of Denmark, 2016. 148 p.
@phdthesis{364f7086ac2c422aa613823510061715,
title = "Modelling Socio-Technical Aspects of Organisational Security",
abstract = "Identification of threats to organisations and risk assessment often take into consideration the pure technical aspects, overlooking the vulnerabilities originating from attacks on a social level, for example social engineering, and abstracting away the physical infrastructure. However, attacks on organisations are far from being purely technical. After all, organisations consist of employees. Often the human factor appears to be the weakest point in the security of organisations. It may be easier to break through a system using a social engineering attack rather than a pure technological one. The StuxNet attack is only one of the many examples showing that vulnerabilities of organisations are increasingly exploited on different levels including the human factor. There is an urgent need for integration between the technical and social aspects of systems in assessing their security. Such an integration would close this gap, however, it would also result in complicating the formal treatment and automatic identification of attacks. This dissertation shows that applying a system modelling approach to sociotechnical systems can be used for identifying attacks on organisations, which exploit various levels of the vulnerabilities of the systems. In support of this claim we present a modelling framework, which combines many features. Based on a graph, the framework presents the physical infrastructure of an organisation, where actors and data are modelled as nodes in this graph. Based on the semantics of the underlying process calculus, we develop a formal analytical approach that generates attack trees from the model. The overall goal of the framework is to predict, prioritise and minimise the vulnerabilities in organisations by prohibiting the overall attack or at least increasing the difficulty and cost of fulfilling it. We validate our approach using scenarios from IPTV and Cloud Infrastructure case studies.",
keywords = "IR-101820, METIS-318570, EC Grant Agreement nr.: FP7/318003, EC Grant Agreement nr.: FP7/2007-2013, EWI-27346",
author = "Ivanova, {Marieta G.}",
note = "DTU Compute PHD-2016 (ISSN 0909-3192); No. 406. - eemcs-eprint-27346",
year = "2016",
language = "English",
publisher = "Technical University of Denmark",
school = "Technical University of Denmark",

}

Ivanova, MG 2016, 'Modelling Socio-Technical Aspects of Organisational Security', Technical University of Denmark, Copenhagen.

Modelling Socio-Technical Aspects of Organisational Security. / Ivanova, Marieta G.

Copenhagen : Technical University of Denmark, 2016. 148 p.

Research output: ThesisPhD Thesis - Research external, graduation externalAcademic

TY - THES

T1 - Modelling Socio-Technical Aspects of Organisational Security

AU - Ivanova, Marieta G.

N1 - DTU Compute PHD-2016 (ISSN 0909-3192); No. 406. - eemcs-eprint-27346

PY - 2016

Y1 - 2016

N2 - Identification of threats to organisations and risk assessment often take into consideration the pure technical aspects, overlooking the vulnerabilities originating from attacks on a social level, for example social engineering, and abstracting away the physical infrastructure. However, attacks on organisations are far from being purely technical. After all, organisations consist of employees. Often the human factor appears to be the weakest point in the security of organisations. It may be easier to break through a system using a social engineering attack rather than a pure technological one. The StuxNet attack is only one of the many examples showing that vulnerabilities of organisations are increasingly exploited on different levels including the human factor. There is an urgent need for integration between the technical and social aspects of systems in assessing their security. Such an integration would close this gap, however, it would also result in complicating the formal treatment and automatic identification of attacks. This dissertation shows that applying a system modelling approach to sociotechnical systems can be used for identifying attacks on organisations, which exploit various levels of the vulnerabilities of the systems. In support of this claim we present a modelling framework, which combines many features. Based on a graph, the framework presents the physical infrastructure of an organisation, where actors and data are modelled as nodes in this graph. Based on the semantics of the underlying process calculus, we develop a formal analytical approach that generates attack trees from the model. The overall goal of the framework is to predict, prioritise and minimise the vulnerabilities in organisations by prohibiting the overall attack or at least increasing the difficulty and cost of fulfilling it. We validate our approach using scenarios from IPTV and Cloud Infrastructure case studies.

AB - Identification of threats to organisations and risk assessment often take into consideration the pure technical aspects, overlooking the vulnerabilities originating from attacks on a social level, for example social engineering, and abstracting away the physical infrastructure. However, attacks on organisations are far from being purely technical. After all, organisations consist of employees. Often the human factor appears to be the weakest point in the security of organisations. It may be easier to break through a system using a social engineering attack rather than a pure technological one. The StuxNet attack is only one of the many examples showing that vulnerabilities of organisations are increasingly exploited on different levels including the human factor. There is an urgent need for integration between the technical and social aspects of systems in assessing their security. Such an integration would close this gap, however, it would also result in complicating the formal treatment and automatic identification of attacks. This dissertation shows that applying a system modelling approach to sociotechnical systems can be used for identifying attacks on organisations, which exploit various levels of the vulnerabilities of the systems. In support of this claim we present a modelling framework, which combines many features. Based on a graph, the framework presents the physical infrastructure of an organisation, where actors and data are modelled as nodes in this graph. Based on the semantics of the underlying process calculus, we develop a formal analytical approach that generates attack trees from the model. The overall goal of the framework is to predict, prioritise and minimise the vulnerabilities in organisations by prohibiting the overall attack or at least increasing the difficulty and cost of fulfilling it. We validate our approach using scenarios from IPTV and Cloud Infrastructure case studies.

KW - IR-101820

KW - METIS-318570

KW - EC Grant Agreement nr.: FP7/318003

KW - EC Grant Agreement nr.: FP7/2007-2013

KW - EWI-27346

M3 - PhD Thesis - Research external, graduation external

PB - Technical University of Denmark

CY - Copenhagen

ER -

Ivanova MG. Modelling Socio-Technical Aspects of Organisational Security. Copenhagen: Technical University of Denmark, 2016. 148 p.