13. – 18. November 2016, Dagstuhl-Seminar 16461

Assessing ICT Security Risks in Socio-Technical Systems


Tyler W. Moore (University of Tulsa, US)
Christian W. Probst (Technical University of Denmark – Lyngby, DK)
Kai Rannenberg (Goethe-Universität Frankfurt am Main, DE)
Michel van Eeten (TU Delft, NL)

Auskunft zu diesem Dagstuhl-Seminar erteilt

Dagstuhl Service Team


Dagstuhl's Impact: Dokumente verfügbar
Programm des Dagstuhl-Seminars [pdf]


In this seminar we will investigate systematic methods and tools to estimate ICT security risks in socio-technical systems and their economic environment. In particular, we search for novel security risk assessment methods that integrate different types of socio-technical security metrics.

As we progress from classic mechanical or electrical production systems, over ICT systems, to socio-technical systems, risk assessment becomes increasingly complex and difficult. Risk assessment for traditional engineering systems assumes the systems to be deterministic. In non-deterministic systems, standard procedure is to fix those factors that are not deterministic. These techniques do not scale to ICT systems where many risks are hard to trace due to the immaterial nature of information. Beyond ICT systems, socio-technical systems also contain human actors as integral parts of the system. In such socio-technical systems there may occur unforeseen interactions between the system, the environment, and the human actors, especially insiders.

Assessing the risk of the ICT system for human actors is difficult; assessing the risk of the human actor for the ICT system is difficult, too. Both ways require an understanding of how to address issues in these systems in a systematic way. Building on the findings of the predecessor seminars on insider threats and security metrics, we will explore the embedding of human behavior and security metrics into methods to support risk assessment:

  • Security metrics provide approaches for measuring information security risk in a socio-technical context;
  • Economics provides techniques for measuring the impact of risks and the cost for identifying the risk;
  • Risk assessment provides approaches for identifying and quantifying relevant risks; and
  • Human factors provide approaches for understanding and explaining human behavior.

Seminar activities

In this seminar we plan to explore the following areas in inter-disciplinary working group sessions working on a joint scenario:

  • Definitions of socio-technical systems;
  • Relation between vulnerability, privacy, and economic metrics;
  • Contrast between data required and data available in practice for the development of effective risk assessment methods (tools);
  • Direct and indirect economic impact of implementing those methods; and
  • Methods and tools to make security metrics available for risk assessment in socio-technical systems.

Objectives, prospective outcomes

The topics outlined above are mutually dependent, and their relation is largely unexplored. By bringing together communities that work in the seminar area and its boundaries, we plan to continue the fruitful collaborations started in previous seminars of this series. Taking their findings to the next level will require identification of possible systematic developments for tool support of risk assessment in socio-technical attacks. We expect the seminar to initiate the discussion of these systematic developments, and to lead to new interdisciplinary project proposals on national and international level. During the seminar we will identify leaders for promising follow-up activities and publications, and will work with the involved participants on reaching these goals.

Related Dagstuhl-Seminar


  • Modelling / Simulation
  • Security / Cryptology
  • Society / Human-computer Interaction


  • Security risk management
  • Economics of risk assessment
  • Socio-technical security
  • Human factor
  • Return on security investment


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.