Socio-Technical Security Metrics (Dagstuhl Seminar 14491)

Dieter Gollmann, Cormac Herley, Vincent Koenig, Wolter Pieters, Martina Angela Sasse

    Research output: Contribution to journalArticleAcademicpeer-review

    22 Downloads (Pure)

    Abstract

    This report documents the program and the outcomes of Dagstuhl Seminar 14491 "Socio-Technical Security Metrics". In the domain of safety, metrics inform many decisions, from the height of new dikes to the design of nuclear plants. We can state, for example, that the dikes should be high enough to guarantee that a particular area will flood at most once every 1000 years. Even when considering the limitations of such numbers, they are useful in guiding policy. Metrics for the security of information systems have not reached the same maturity level. This is partly due to the nature of security risk, in which an adaptive attacker rather than nature causes the threat events. Moreover, whereas the human factor may complicate safety and security procedures alike, in security this "weakest link" may be actively exploited by an attacker, such as in phishing or social engineering. In order to measure security at the level of socio-technical systems, one therefore needs to compare online hacking against such social manipulations, since the attacker may simply take the easiest path. In this seminar, we searched for suitable metrics that allow us to estimate information security risk in a socio-technical context, as well as the costs and effectiveness of countermeasures. Working groups addressed different topics, including security as a science, testing and evaluation, social dynamics, models and economics. The working groups focused on three main questions: what are we interested in, how to measure it, and what to do with the metrics.
    Original languageUndefined
    Pages (from-to)1-28
    Number of pages28
    JournalDagstuhl reports
    Volume4
    Issue number12
    DOIs
    Publication statusPublished - 20 Mar 2015

    Keywords

    • EC Grant Agreement nr.: FP7/318003
    • EWI-25937
    • SCS-Cybersecurity
    • multi-step attacks
    • Social Engineering
    • METIS-312551
    • return on security investment
    • EC Grant Agreement nr.: FP7/2007-2013
    • IR-95640
    • Security Metrics
    • Security risk management
    • Socio-technical security

    Cite this

    Gollmann, Dieter ; Herley, Cormac ; Koenig, Vincent ; Pieters, Wolter ; Sasse, Martina Angela. / Socio-Technical Security Metrics (Dagstuhl Seminar 14491). In: Dagstuhl reports. 2015 ; Vol. 4, No. 12. pp. 1-28.
    @article{3841073211dc4769acfc8757ab8c025d,
    title = "Socio-Technical Security Metrics (Dagstuhl Seminar 14491)",
    abstract = "This report documents the program and the outcomes of Dagstuhl Seminar 14491 {"}Socio-Technical Security Metrics{"}. In the domain of safety, metrics inform many decisions, from the height of new dikes to the design of nuclear plants. We can state, for example, that the dikes should be high enough to guarantee that a particular area will flood at most once every 1000 years. Even when considering the limitations of such numbers, they are useful in guiding policy. Metrics for the security of information systems have not reached the same maturity level. This is partly due to the nature of security risk, in which an adaptive attacker rather than nature causes the threat events. Moreover, whereas the human factor may complicate safety and security procedures alike, in security this {"}weakest link{"} may be actively exploited by an attacker, such as in phishing or social engineering. In order to measure security at the level of socio-technical systems, one therefore needs to compare online hacking against such social manipulations, since the attacker may simply take the easiest path. In this seminar, we searched for suitable metrics that allow us to estimate information security risk in a socio-technical context, as well as the costs and effectiveness of countermeasures. Working groups addressed different topics, including security as a science, testing and evaluation, social dynamics, models and economics. The working groups focused on three main questions: what are we interested in, how to measure it, and what to do with the metrics.",
    keywords = "EC Grant Agreement nr.: FP7/318003, EWI-25937, SCS-Cybersecurity, multi-step attacks, Social Engineering, METIS-312551, return on security investment, EC Grant Agreement nr.: FP7/2007-2013, IR-95640, Security Metrics, Security risk management, Socio-technical security",
    author = "Dieter Gollmann and Cormac Herley and Vincent Koenig and Wolter Pieters and Sasse, {Martina Angela}",
    note = "Foreground = 40{\%}; Type of activity = seminar; Main leader = TUHH; Type of audience = scientific community; Size of audience = 35; Countries addressed = International;",
    year = "2015",
    month = "3",
    day = "20",
    doi = "10.4230/DagRep.4.12.1",
    language = "Undefined",
    volume = "4",
    pages = "1--28",
    journal = "Dagstuhl reports",
    issn = "2192-5283",
    publisher = "Dagstuhl",
    number = "12",

    }

    Gollmann, D, Herley, C, Koenig, V, Pieters, W & Sasse, MA 2015, 'Socio-Technical Security Metrics (Dagstuhl Seminar 14491)', Dagstuhl reports, vol. 4, no. 12, pp. 1-28. https://doi.org/10.4230/DagRep.4.12.1

    Socio-Technical Security Metrics (Dagstuhl Seminar 14491). / Gollmann, Dieter; Herley, Cormac; Koenig, Vincent; Pieters, Wolter; Sasse, Martina Angela.

    In: Dagstuhl reports, Vol. 4, No. 12, 20.03.2015, p. 1-28.

    Research output: Contribution to journalArticleAcademicpeer-review

    TY - JOUR

    T1 - Socio-Technical Security Metrics (Dagstuhl Seminar 14491)

    AU - Gollmann, Dieter

    AU - Herley, Cormac

    AU - Koenig, Vincent

    AU - Pieters, Wolter

    AU - Sasse, Martina Angela

    N1 - Foreground = 40%; Type of activity = seminar; Main leader = TUHH; Type of audience = scientific community; Size of audience = 35; Countries addressed = International;

    PY - 2015/3/20

    Y1 - 2015/3/20

    N2 - This report documents the program and the outcomes of Dagstuhl Seminar 14491 "Socio-Technical Security Metrics". In the domain of safety, metrics inform many decisions, from the height of new dikes to the design of nuclear plants. We can state, for example, that the dikes should be high enough to guarantee that a particular area will flood at most once every 1000 years. Even when considering the limitations of such numbers, they are useful in guiding policy. Metrics for the security of information systems have not reached the same maturity level. This is partly due to the nature of security risk, in which an adaptive attacker rather than nature causes the threat events. Moreover, whereas the human factor may complicate safety and security procedures alike, in security this "weakest link" may be actively exploited by an attacker, such as in phishing or social engineering. In order to measure security at the level of socio-technical systems, one therefore needs to compare online hacking against such social manipulations, since the attacker may simply take the easiest path. In this seminar, we searched for suitable metrics that allow us to estimate information security risk in a socio-technical context, as well as the costs and effectiveness of countermeasures. Working groups addressed different topics, including security as a science, testing and evaluation, social dynamics, models and economics. The working groups focused on three main questions: what are we interested in, how to measure it, and what to do with the metrics.

    AB - This report documents the program and the outcomes of Dagstuhl Seminar 14491 "Socio-Technical Security Metrics". In the domain of safety, metrics inform many decisions, from the height of new dikes to the design of nuclear plants. We can state, for example, that the dikes should be high enough to guarantee that a particular area will flood at most once every 1000 years. Even when considering the limitations of such numbers, they are useful in guiding policy. Metrics for the security of information systems have not reached the same maturity level. This is partly due to the nature of security risk, in which an adaptive attacker rather than nature causes the threat events. Moreover, whereas the human factor may complicate safety and security procedures alike, in security this "weakest link" may be actively exploited by an attacker, such as in phishing or social engineering. In order to measure security at the level of socio-technical systems, one therefore needs to compare online hacking against such social manipulations, since the attacker may simply take the easiest path. In this seminar, we searched for suitable metrics that allow us to estimate information security risk in a socio-technical context, as well as the costs and effectiveness of countermeasures. Working groups addressed different topics, including security as a science, testing and evaluation, social dynamics, models and economics. The working groups focused on three main questions: what are we interested in, how to measure it, and what to do with the metrics.

    KW - EC Grant Agreement nr.: FP7/318003

    KW - EWI-25937

    KW - SCS-Cybersecurity

    KW - multi-step attacks

    KW - Social Engineering

    KW - METIS-312551

    KW - return on security investment

    KW - EC Grant Agreement nr.: FP7/2007-2013

    KW - IR-95640

    KW - Security Metrics

    KW - Security risk management

    KW - Socio-technical security

    U2 - 10.4230/DagRep.4.12.1

    DO - 10.4230/DagRep.4.12.1

    M3 - Article

    VL - 4

    SP - 1

    EP - 28

    JO - Dagstuhl reports

    JF - Dagstuhl reports

    SN - 2192-5283

    IS - 12

    ER -