- Annette Beyer (for administrative matters)
- Autonomous Vehicle : Security by Design : article - Chattopadhyay, Anupam; Lam, Kwok-Yan; Tavva, Yaswanth - Los Alamitos : IEEE, 2020. - pp. 1-15 - (IEEE Transactions on Intelligent Transportation Systems ; 2020 : article).
- Reconciling Multiple Objectives : Politics or Markets? : article in LNCS 10476 - Anderson, Ross J.; Baqer, Khaled - Berlin : Springer, 2017. - pp. 144-156 - (Lecture notes in computer science ; 10476 : article).
- Systematization of Knowledge : Quantifying Cyber Risk : article - Woods, Daniel W.; Böhme, Rainer - Innsbruck : Universität , 2020. - 18 pp..
In this seminar we will investigate systematic methods and tools to estimate ICT security risks in socio-technical systems and their economic environment. In particular, we search for novel security risk assessment methods that integrate different types of socio-technical security metrics.
As we progress from classic mechanical or electrical production systems, over ICT systems, to socio-technical systems, risk assessment becomes increasingly complex and difficult. Risk assessment for traditional engineering systems assumes the systems to be deterministic. In non-deterministic systems, standard procedure is to fix those factors that are not deterministic. These techniques do not scale to ICT systems where many risks are hard to trace due to the immaterial nature of information. Beyond ICT systems, socio-technical systems also contain human actors as integral parts of the system. In such socio-technical systems there may occur unforeseen interactions between the system, the environment, and the human actors, especially insiders.
Assessing the risk of the ICT system for human actors is difficult; assessing the risk of the human actor for the ICT system is difficult, too. Both ways require an understanding of how to address issues in these systems in a systematic way. Building on the findings of the predecessor seminars on insider threats and security metrics, we will explore the embedding of human behavior and security metrics into methods to support risk assessment:
- Security metrics provide approaches for measuring information security risk in a socio-technical context;
- Economics provides techniques for measuring the impact of risks and the cost for identifying the risk;
- Risk assessment provides approaches for identifying and quantifying relevant risks; and
- Human factors provide approaches for understanding and explaining human behavior.
In this seminar we plan to explore the following areas in inter-disciplinary working group sessions working on a joint scenario:
- Definitions of socio-technical systems;
- Relation between vulnerability, privacy, and economic metrics;
- Contrast between data required and data available in practice for the development of effective risk assessment methods (tools);
- Direct and indirect economic impact of implementing those methods; and
- Methods and tools to make security metrics available for risk assessment in socio-technical systems.
Objectives, prospective outcomes
The topics outlined above are mutually dependent, and their relation is largely unexplored. By bringing together communities that work in the seminar area and its boundaries, we plan to continue the fruitful collaborations started in previous seminars of this series. Taking their findings to the next level will require identification of possible systematic developments for tool support of risk assessment in socio-technical attacks. We expect the seminar to initiate the discussion of these systematic developments, and to lead to new interdisciplinary project proposals on national and international level. During the seminar we will identify leaders for promising follow-up activities and publications, and will work with the involved participants on reaching these goals.
- Ross Anderson (University of Cambridge, GB) [dblp]
- Johannes M. Bauer (Michigan State University - East Lansing, US) [dblp]
- Zinaida Benenson (Universität Erlangen-Nürnberg, DE) [dblp]
- Rainer Böhme (Universität Innsbruck, AT) [dblp]
- L. Jean Camp (Indiana University - Bloomington, US) [dblp]
- Tristan Caulfield (University College London, GB) [dblp]
- Nicolas Christin (Carnegie Mellon University - Pittsburgh, US) [dblp]
- Richard Clayton (University of Cambridge, GB) [dblp]
- Serge Egelman (ICSI - Berkeley, US) [dblp]
- Barbara Fila (IRISA - Rennes, FR) [dblp]
- Carlos H. Ganan (TU Delft, NL) [dblp]
- Dieter Gollmann (TU Hamburg-Harburg, DE) [dblp]
- Hannes Hartenstein (KIT - Karlsruher Institut für Technologie, DE) [dblp]
- Florian Kammüller (Middlesex University - London, GB) [dblp]
- Vincent Koenig (University of Luxembourg, LU) [dblp]
- Stewart Kowalski (Norwegian Univ. of Science & Technology - Gjøvik, NO) [dblp]
- Kwok-Yan Lam (Nanyang TU - Singapore, SG) [dblp]
- Stefan Laube (Universität Münster, DE) [dblp]
- Gabriele Lenzini (University of Luxembourg, LU) [dblp]
- Thomas Maillart (University of Geneva, CH) [dblp]
- Fabio Massacci (University of Trento, IT) [dblp]
- Kanta Matsuura (University of Tokyo, JP) [dblp]
- Tyler W. Moore (University of Tulsa, US) [dblp]
- Sebastian Pape (Goethe-Universität Frankfurt am Main, DE) [dblp]
- Simon Parkin (University College London, GB) [dblp]
- Wolter Pieters (TU Delft, NL) [dblp]
- Christian W. Probst (Technical University of Denmark - Lyngby, DK) [dblp]
- Kai Rannenberg (Goethe-Universität Frankfurt am Main, DE) [dblp]
- Martina Angela Sasse (University College London, GB) [dblp]
- Christian Sillaber (Universität Innsbruck, AT) [dblp]
- Sven Übelacker (TU Hamburg-Harburg, DE) [dblp]
- Michel van Eeten (TU Delft, NL) [dblp]
- Maarten van Wieren (Deloitte - Amsterdam, NL) [dblp]
- Melanie Volkamer (Karlstad University, SE) [dblp]
- Edgar A. Whitley (London School of Economics, GB) [dblp]
- Jeff Yan (Lancaster University, GB) [dblp]
- Dagstuhl Seminar 14491: Socio-Technical Security Metrics (2014-11-30 - 2014-12-05) (Details)
- modelling / simulation
- security / cryptology
- society / human-computer interaction
- Security risk management
- economics of risk assessment
- socio-technical security
- human factor
- return on security investment