Simulation modelling is an important tool for exploring and reasoning about complex systems. Many supporting languages are available. Commonly occurring features of these languages are constructs capturing concepts such as process, resource, and location. We describe a mathematical framework that supports a modelling idiom based on these core concepts, and which adopts stochastic methods for representing the environments within which systems exist. We explain how this framework can be used to give a semantics to a simulation modelling language, Core Gnosis, that includes basic constructs for process, resource, and location. We include a brief discussion of a logic for reasoning about models that is compositional with respect to their structure. Our mathematical analysis of systems in terms of process, resource, location, and stochastic environment, together with a language that captures these concepts quite directly, yields an efficient and robust modelling framework within which natural mathematical reasoning about systems is captured.

Abstract. Information security managers with fixed budgets must invest in security measures to mitigate increasingly severe threats whilst maintaining the alignment of their systems with their organization's business objectives. The state of the art lacks a systematic methodology to support security investment decision-making. We describe a methodology that integrates methods from multi-attribute utility evaluation and mathematical systems modelling. We illustrate our approach using a case study of a large organization divesting itself of its IT support services, delivering useful results to the organization's security managers. Specifically, by integrating a mathematical model of system behaviour with an account of the utility of available security investment strategies, the case study has enabled them to understand better the trade-offs between the security performance and the operational consequences of their choices.

ABSTRACT. We develop an ontological account of information security architectures that is inspired by economic models of trade-offs between confidentiality, integrity, and availability. Our approach clarifies the nature of the trade-offs by making a clear distinction between declarative and operational concepts in security. We integrate this approach with a semantically justified mathematical systems modelling technology, thus providing a basis for a systematic methodology to support operational decision-making in information security investments and trade-offs. 1.

Abstract — Identity and Access Management (IAM) is a key enabler of enterprise businesses: it supports automation, security enforcement and compliance. However, most enterprises struggle with their Identity and Access Management strategy. Discussions on IAM primarily focus at the IT operational level, rather than targeting strategic decision makers ’ issues, at the business level. Organisations are experiencing an increasing number of internal and external threats and risks: there is scarcity of resources and budget to address them all. Decision makers (e.g. CIOs, CISOs) need to prioritise their choices and motivate their requests for investments. This applies for investments in IAM vs. other possible security or business investments that could be made by the organisation. In this context, a range of possible IAM investment options has an effect on multiple strategic outcomes of interest, such as assurance, agility, security, compliance, productivity and empowerment. We have developed a repeatable approach and methodology to help organisations work through this complex problem space and determine an appropriate strategy, by providing them with decision support capabilities. The proposed approach, validated in collaboration with Security & IAM experts, couples economic modeling, enabling decision makers to explore their preferences between the different outcomes, with system modeling & simulations to predict the consequences (likely outcomes) associated with different investment choices and map them against decision makers’ preferences to identify the most suitable options. We illustrate how this methodology has been applied in an IAM case study, in a business-driven context with core enterprise services. This work is in progress. We discuss current results and next steps.

Abstract—Information security managers with fixed budgets must invest in security measures to mitigate increasingly severe threats whilst maintaining the alignment of their systems with their organization's business objectives. The state of the art lacks a systematic methodology to support security investment decisionmaking. We describe a methodology that integrates methods from multi-attribute utility evaluation and mathematical systems modelling. We illustrate our approach using a collaborative case study with the security managers of a large organization divesting itself of its IT support services. The case study was validated against the experience and observations of the security managers and delivered, according to their judgement, useful results. Specifically, by integrating a mathematical model of system behaviour with an account of the utility of available security investment strategies, the case study has enabled them to understand better the trade-offs between the security performance and the operational consequences of their choices.

Abstract not found

ABSTRACT. Structured systems security economics provides a conceptual framework, inspired by macroeconomic models of trade-offs and mathematical systems models, for analysing the structure of security architectures, their policy constraints, and their interactions with users. In this paper, we explore the dynamics of structured systems security economics by considering the representation and functionality of Actors in the framework. We show how a simple representation of Actors ’ preferences is sufficient to understand the security dynamics of the system and support utility calculations that inform design and investment decisions. Overall, the framework is intended to facilitate the design and implementation of trustworthy security systems.

Abstract. Managing the information stewardship lifecycle is a challenge. In the context of cloud computing, the stakeholders in cloud ecosystems must also take account of the demands of the information stewardship lifecycles of other participants in the ecosystem. We describe a modelling framework — incorporating tools from mathematical systems modelling, economics, and policy/user modelling — suitable for supporting reasoning and decision making in cloud ecosystems, and so provides a basis for developing model-based service level agreements.

ABSTRACT. We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded with empirical data, to compare, using simulations, two options. The basis of the comparison is a notion of organizational utility. Using our results, we are able to explore trade-offs between breaches of system security, users ’ productivity, and investment in support operations. 1.