Two-level trust-based decision model for information assurance in a virtual organization

Abstract

Like other unstructured decision problems, selection of external trustworthy objects are challenging particularly in a virtual organization (VO). Novel methods are desired to filter out invalid information as well as insecure programs. This paper presents a new, conceptual approach to support selection of objects. It is a two-level decision model, which helps a VO participant determine whether an external object can be accepted based on the object's quality and security features. This hierarchical decision-making process complies with both practical evidence and theoretical decision models. Its underlying concepts are logically sound and comprehensible. We illustrate the approaches using software selection.

Introduction

A virtual organization represents a loosely coupled community with a set of participants sharing resources based on mutually agreed upon rules. In our discussion, each participant represents an independent computing system associated with a single administrative domain. Each system contains a set of internal applications (see Fig. 1). An internal application performs dedicated functions or provides certain services. Some common features of a VO are: (1) they are self-organized by participants based on mutual interests; (2) they have a large scope spanning over multiple administrative domains; (3) they have dynamic members, i.e., participants join and leave at any time; and (4) they allow resources shared in a controlled and accountable manner. An open source software community is an example of a virtual organization, where thousands of programmers and software engineers voluntarily contribute to developing large-scale software and offer programs they have developed to share with other participants. Such a virtual organization is decentralized and self-organized. In GNUe [8], for example, no company or corporate executive has administrative authority or resource control to determine what work will be done, what the schedule will be, and who will be assigned to perform any of the specified tasks [26]. The participants decide to offer and consume information based on their own needs and criteria. Many other types of VOs exist including peer-to-peer systems, Grid systems, and electronic virtual markets.

Information assurance has become a major concern for many VOs. Low barriers to publishing information in a VO require novel mechanisms to verify the quality and security features of available information before they can be used by a participant. In an open source software community, there are thousands of software freely available for download. The quality of each software varies widely due to the expertise of the software's developers, the software engineering practices those developers use, and the information process culture those developers have. In this paper, we focus on two aspects of information assurance: information quality and security. Information quality refers to the quality of an object, e.g., correctly describes a “thing” or provides a function. For instance, the quality of a software program can be described by its functionality, usability, reliability, etc. If a program has been developed with race condition or deadlock, for example, then that program is considered to have poor quality. If a program produces correct results in a consistent and predictable manner given a full set of well-prepared testing inputs, then it has high quality in term of functionality. Security features of a program refer to its safety and reliability when being executed by users. A program is safe to use if it does not contain malicious code, is free of vulnerabilities, and has no functions beyond its designed specifications.

Our framework addresses the issue of information assurance from the object trust perspective. A user evaluates the quality and security of a program based on how much the program can be trusted from two aspects: (1) whether the program functions correctly, and (2) whether the program is secure and safe for use. The core part of our framework is a two-level decision model developed to assist users in selecting external objects that satisfy the users' requirements for information assurance. As the name implies, a final decision is made based on evaluations at two levels – the system level and the internal application level. As mentioned earlier, a participant of a VO represents an independent system, which contains a set of internal applications providing different functions and services. The two-level decision model separates the specifications of selection criteria between a system and its internal applications. With different focuses and scopes at the two levels, the requirements for information assurance are specified with different degrees of details. The decision at the system level is based on a set of general trust-related attributes for a given type of objects and their respective testing conditions. For instance, for software selection and reuse, a system may define general policy rules based on general attributes related to the software's licenses (not all the open source software is created with the same licenses) and virus detection. These rules, for example, may define that “any software without appropriate licenses can't be selected” and “the software must pass virus detection test.” The goal is to quickly filter or select an object, if possible. The decision rules defined at this level are applied within the entire scope of the system. The decision at the application level, on the other hand, is based on additional or refined trust-related attributes for the given type of objects and their respective testing conditions to further filter and rearrange the objects that have been selected at the system level. For instance, the decision rules at the internal application level may specify, “the software selected to run on a server machine must not have hidden routines to open network connections without system administrator's acknowledgement” and “the software selected to be used as components to build mission-critical projects cannot accept arbitrary-length files as inputs for security reasons.” Any external object must satisfy the requirements defined at both the system and internal application levels in order to be used internally. A flow chart for a high-level view of the proposed decision process is illustrated in Fig. 2.

Throughout this paper, we use open source software selection and reuse as an illustrative example. Although our model focuses on the security and quality features of a given object, it is open to other dimensions. Our major contributions include (1) proposal of a trust-based hierarchical decision model, which focuses on object intrinsic and extrinsic features; (2) design of key decision-making components, e.g., attribute-driven policy rules, threshold selection criteria and operators, and balance between positive and negative features of an object; (3) development of an utility fusion theory based on the decreasing margin utility theory; and (4) applications of the proposed framework to software selection and reuse.