Designing for cyber security risk-based decision making.

Authors: M’manga, A.

Editors: Faily, S. and McAlaney, J.

Conference: Bournemouth University, Faculty of Science and Technology

Abstract:

Techniques for determining and applying cyber security decisions typically follow risk- based analytical approaches where alternative options are put forward based on goals and context, and weighed in accordance to risk severity metrics. These decision making approaches are however difficult to apply in risk situations bounded by uncertainty as decision alternatives are either unknown or unclear. This problem is further compounded by the rarity of expert security decision makers and the far-reaching repercussions of un-informed decision making.

The nature of operations in cyber security indicates that only a handful of systems are independent of the human operators, exposing the majority of organisations to risk from security threats and risks as a product of human decision making limitations. Addressing the problem requires considering factors contributing to risk and uncertainty during the early stages of system design, motivating the development of systems that are not only usable and secure, but that facilitate informed decision making as a central goal.

The thesis investigates this by posing the question; what system design techniques should be taken into consideration to facilitate cyber security decision making during situations of risk and uncertainty? The research was approached qualitatively with interviews as the main data elicitation approach. Grounded Theory was applied to five security decision making studies to inductively elicit, model, and validate design requirements for Risk-based Decision Making in cyber security.

Contributions arising from thesis work are: an identification of factors contributing to security analysts’ risk practices and understanding, a model for communicating and tracing risk rationalisation by cyber security decision makers, a conceptual model illustrating the various concepts in cyber security decision making and their relationship, and guidelines and suggested implementation techniques guiding the specification of requirements for systems deployed in cyber security Risk-based Decision Making. The thesis is validated by applying the proposed design guidelines to inform an approach used to design a charity’s secure data handling policy.

https://eprints.bournemouth.ac.uk/33280/

Source: Manual

Designing for cyber security risk-based decision making.

Authors: M’manga, A.

Conference: Bournemouth University

Abstract:

Techniques for determining and applying cyber security decisions typically follow risk- based analytical approaches where alternative options are put forward based on goals and context, and weighed in accordance to risk severity metrics. These decision making approaches are however difficult to apply in risk situations bounded by uncertainty as decision alternatives are either unknown or unclear. This problem is further compounded by the rarity of expert security decision makers and the far-reaching repercussions of un-informed decision making. The nature of operations in cyber security indicates that only a handful of systems are independent of the human operators, exposing the majority of organisations to risk from security threats and risks as a product of human decision making limitations. Addressing the problem requires considering factors contributing to risk and uncertainty during the early stages of system design, motivating the development of systems that are not only usable and secure, but that facilitate informed decision making as a central goal. The thesis investigates this by posing the question; what system design techniques should be taken into consideration to facilitate cyber security decision making during situations of risk and uncertainty? The research was approached qualitatively with interviews as the main data elicitation approach. Grounded Theory was applied to five security decision making studies to inductively elicit, model, and validate design requirements for Risk-based Decision Making in cyber security. Contributions arising from thesis work are: an identification of factors contributing to security analysts’ risk practices and understanding, a model for communicating and tracing risk rationalisation by cyber security decision makers, a conceptual model illustrating the various concepts in cyber security decision making and their relationship, and guidelines and suggested implementation techniques guiding the specification of requirements for systems deployed in cyber security Risk-based Decision Making. The thesis is validated by applying the proposed design guidelines to inform an approach used to design a charity’s secure data handling policy.

https://eprints.bournemouth.ac.uk/33280/

Source: BURO EPrints