Results 1 -
5 of
5
Representing humans in system security models: An actor-network approach
- Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications
"... Abstract System models to assess the vulnerability of information systems to security threats typically represent a physical infrastructure (buildings) and a digital infrastructure (computers and networks), in combination with an attacker traversing the system while acquiring credentials. Other hum ..."
Abstract
-
Cited by 9 (1 self)
- Add to MetaCart
(Show Context)
Abstract System models to assess the vulnerability of information systems to security threats typically represent a physical infrastructure (buildings) and a digital infrastructure (computers and networks), in combination with an attacker traversing the system while acquiring credentials. Other humans are generally not included, as their behaviour is considered more difficult to express. We propose a graph-based reference model for reasoning about access in system models including human actions, inspired by the sociological actor-network theory, treating humans and non-humans symmetrically. This means that humans can employ things to gain access (an attacker gains access to a room by means of a key), but things can also employ humans to gain access (a USB stick gains access to a computer by means of an employee), leading to a simple but expressive model. The model has the additional advantage that it is not based on containment, an increasingly problematic notion in the age of disappearing boundaries between systems. Based on the reference model, we discuss algorithms for finding attacks, as well as examples. The reference model can serve as a starting point for discussing representations of human behaviour in system models, and for including human behaviour in other than graph-based approaches.
cope with data mobility
, 2008
"... On the inability of existing security models to ..."
(Show Context)
ANKH: Information Threat Analysis with
"... Abstract. Traditional information security modelling approaches often focus on containment of assets within boundaries. Due to what is called de-perimeterisation, such boundaries, for example in the form of clearly separated company networks, disappear. This paper argues that in a deperimeterised si ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Traditional information security modelling approaches often focus on containment of assets within boundaries. Due to what is called de-perimeterisation, such boundaries, for example in the form of clearly separated company networks, disappear. This paper argues that in a deperimeterised situation a focus on containment in security modelling is ineffective. Most importantly, the tree structure induced by the notion of containment is insufficient to model the interactions between digital, physical and social aspects of security. We use the sociological framework of actor-network theory to model information security starting from group membership instead of containment. The model is based on hypergraphs, and is also applicable to physical and social security measures. We provide algorithms for threat finding as well as examples.
inconsistencies between security policies
"... Portunes: generating attack scenarios by finding ..."
(Show Context)
