License: Creative Commons Attribution 3.0 Unported license (CC BY 3.0)
When quoting this document, please refer to the following
DOI: 10.4230/DagRep.4.12.1
URN: urn:nbn:de:0030-drops-49744
URL: http://dagstuhl.sunsite.rwth-aachen.de/volltexte/2015/4974/
Go back to Dagstuhl Reports

Gollmann, Dieter ; Herley, Cormac ; Koenig, Vincent ; Pieters, Wolter ; Sasse, Martina Angela
Weitere Beteiligte (Hrsg. etc.): Dieter Gollmann and Cormac Herley and Vincent Koenig and Wolter Pieters and Martina Angela Sasse

Socio-Technical Security Metrics (Dagstuhl Seminar 14491)

pdf-format:
dagrep_v004_i012_p001_s14491.pdf (5 MB)

Abstract

This report documents the program and the outcomes of Dagstuhl Seminar 14491 "Socio-Technical Security Metrics". In the domain of safety, metrics inform many decisions, from the height of new dikes to the design of nuclear plants. We can state, for example, that the dikes should be high enough to guarantee that a particular area will flood at most once every 1000 years. Even when considering the limitations of such numbers, they are useful in guiding policy. Metrics for the security of information systems have not reached the same maturity level. This is partly due to the nature of security risk, in which an adaptive attacker rather than nature causes the threat events. Moreover, whereas the human factor may complicate safety and security procedures alike, in security this "weakest link" may be actively exploited by an attacker, such as in phishing or social engineering. In order to measure security at the level of socio-technical systems, one therefore needs to compare online hacking against such social manipulations, since the attacker may simply take the easiest path. In this seminar, we searched for suitable metrics that allow us to estimate information security risk in a socio-technical context, as well as the costs and effectiveness of countermeasures. Working groups addressed different topics, including security as a science, testing and evaluation, social dynamics, models and economics. The working groups focused on three main questions: what are we interested in, how to measure it, and what to do with the metrics.

BibTeX - Entry

@Article{gollmann_et_al:DR:2015:4974,
  author =	{Dieter Gollmann and Cormac Herley and Vincent Koenig and Wolter Pieters and Martina Angela Sasse},
  title =	{{Socio-Technical Security Metrics (Dagstuhl Seminar 14491)}},
  pages =	{1--28},
  journal =	{Dagstuhl Reports},
  ISSN =	{2192-5283},
  year =	{2015},
  volume =	{4},
  number =	{12},
  editor =	{Dieter Gollmann and Cormac Herley and Vincent Koenig and Wolter Pieters and Martina Angela Sasse},
  publisher =	{Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{http://drops.dagstuhl.de/opus/volltexte/2015/4974},
  URN =		{urn:nbn:de:0030-drops-49744},
  doi =		{10.4230/DagRep.4.12.1},
  annote =	{Keywords: Security risk management, security metrics, socio-technical security, social engineering, multi-step attacks, return on security investment}
}

Keywords: Security risk management, security metrics, socio-technical security, social engineering, multi-step attacks, return on security investment
Collection: Dagstuhl Reports, Volume 4, Issue 12
Issue Date: 2015
Date of publication: 20.03.2015

DROPS-Home | Fulltext Search | Imprint | Privacy Published by LZI