STAST: Socio-technical analysis of security and trust

One of the greatest challenges facing computer security today is to prevent attacks that exploit human weaknesses.

Nowadays, only rarely attackers target the standard security technical components (e.g., the cryptographic protocols) of the system to violate the systems' defences. Instead, they often combine social engineering and technical strategies to conduct socio-technical attacks. Attackers undermine security by also exploiting the users misunderstanding of security mechanisms (often exacerbated by poorly designed user interfaces or unusable security. Socio-technical attacks threaten the foundations of the trust that users have in information and communication technology.

One of the greatest challenges facing computer security today is to prevent attacks that exploit human weaknesses. Nowadays, only rarely attackers target the standard security technical components (e.g., the cryptographic protocols) of the system to violate the systems' defences. Instead, they often combine social engineering and technical strategies to conduct socio-technical attacks.

A peculiarity of these threats is that an adversary combines social engineering with technical skills to circumvent the defenses of information systems. Attackers undermine security by also exploiting the users misunderstanding of security mechanisms (often exacerbated by poorly designed user interfaces or unusable security. Socio-technical attacks threaten the foundations of the trust that users have in information and communication technology.

Up to now almost all the academic effort in information security has concentrated on solving the technical aspects of the problem. This Up to now almost all the academic effort in information security has concentrated on solving the technical aspects of security. This proposal aims to fill this gap by studying the nature of socio-technical attacks and by providing tools for the analysis of security of information systems and services against these attacks. Specifically, this project will achieve the following two goals:

(1) To propose a framework in which to model socio-technical components of information systems.

This goal includes modelling system's technical components but also the human-computer interfaces, the physical objects, the users and all their interactive ceremonies. This implies also, limitedly to our use case scenarios, modelling users' cognitive status and users' behavioural responses during an interaction with the system.

(2) To develop tools to detect, possibly in a semi automatic or automatic way, attacks of socio-technical nature given a model of a system.

This goal includes also to define the adversary model, and to identify the security properties that are relevant in a socio-technical framework. Up to certain level of detail, we have to specify the context where the interactions between the system's principals takeplace and the trust interactions between agents.

We validate our result on test scenarios. The scenarios are taken from key domains in system security and trust: electronic voting, web certification, and ATM security.

The project will answer challenging research questions on how to embed user cognitive constraints and behavioural interactive patterns in the model of the system and how to analyse the overall system's security and integrity.

This project requires an interdisciplinary approach which is ensured by the composition of the proponent team, namely: the Interdisciplinary Centre for Reliability, Security and Trust (SnT) with focus on trust, and the Educational Measurement and Applied Cognitive Science (EMACS) with focus on HCI and usability.

The team will collaborate with 5 external partners Univ. Catania, Univ. Newcastle, Norwegian TNU, Royal Holloway Univ. of London, and UCL. An industrial partner participates in the project: CIRCL, the incident response centre Luxembourg.

For further information or questions, please don’t hesitate to contact Peter Ryan or Sjouke Mauw

You may also visit the STAST website: http://www.apsia.uni.lu/stast/home/