research-article

An Asset to Security Modeling?: Analyzing Stakeholder Collaborations Instead of Threats to Assets

Authors:

Andreas Poller,

Katharina Kinder-KurlandaAuthors Info & Claims

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

Pages 69 - 82

https://doi.org/10.1145/2683467.2683474

Published: 15 September 2014 Publication History

Abstract

Risk assessment in information security traditionally analyzes threats to assets. An asset is a persistent item or property of value and has an owner. Attacks damage assets; security controls prevent attacks to preserve their value. Expected attack loss is calculated from the value of the attacked assets. This common analytic approach works satisfyingly if an IT system runs in an enclosed environment within an organization. Nowadays, IT systems are accessed and used across organizational boundaries by a multitude of independent stakeholders employing them for their own interests and with particular expectations regarding their trustworthiness. The asset paradigm cannot support estimating consequences of security incidents that may harm these complex stakeholder collaborations. We propose to model the stakeholder collaboration networks and to analyze scenarios of how security incidents affect relationships between stakeholders. Collaboration continuously creates value for all participants. Security incidents change the behavior of stakeholders and their willingness to collaborate, but in complicated ways. Transmission factors characterizing a relationship help us to assess the impact of incidents. We apply the conventional method and our new approach to a case study and compare the results.

References

[1]

R. Anderson. Liability and computer security: Nine principles. In D. Gollmann, editor, Computer Security -- ESORICS 94, volume 875 of LNCS, pages 231--245. Springer Berlin / Heidelberg, 1994.

Digital Library

[2]

R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2nd edition, 2010.

Digital Library

[3]

R. Böhme and G. Schwartz. Modeling cyber-insurance: Towards a unifying framework. In Proc. WEIS, 2010.

[4]

L. J. Camp. Reconceptualizing the role of security user. Daedalus, 140(4):93--107, Fall 2011.

[5]

T. Dietz, E. Ostrom, and P. C. Stern. The struggle to govern the commons. Science, 302(5652):1907--1912, 2003.

[6]

P. Dourish and K. Anderson. Collective information practice: Exploring privacy and security as social and cultural phenomena. Human-Computer Interaction, 21:319--342, Sept. 2006.

Digital Library

[7]

B. Fabian, S. Gürses, M. Heisel, T. Santen, and H. Schmidt. A comparison of security requirements engineering methods. Requirements Engineering, 15(1):7--40, 2010.

Digital Library

[8]

R. E. Freeman. Strategic Management: A Stakeholder Approach. Pitman, 1984.

[9]

V. Garg, S. Patil, A. Kapadia, and L. J. Camp. Peer-produced privacy protection. In Proc. IEEE Symposium on Technology and Society, ISTAS. IEEE, 2013.

[10]

D. Gollmann. Computer Security. Wiley, 3rd edition, 2011.

Digital Library

[11]

C. B. Haley, R. Laney, J. Moffett, and B. Nuseibeh. Security requirements engineering: A framework for representation and analysis. IEEE Trans. Softw. Eng., 34:133--153, Jan. 2008.

Digital Library

[12]

M. L. Johnson, S. M. Bellovin, R. W. Reeder, and S. E. Schechter. Laissez-faire file sharing: Access control designed for individuals at the endpoints. In Proc. NSPW'09, pages 1--10. ACM, 2009.

Digital Library

[13]

R. E. Kasperson, O. Renn, P. Slovic, H. S. Brown, J. Emel, R. Goble, J. X. Kasperson, and S. Ratick. The social amplification of risk: A conceptual framework. Risk Analysis, 8(2):177--187, 1988.

[14]

K. Kinder-Kurlanda and C. Eder. Under lock and key? Setting up a secure data center at GESIS in Germany. In 39th annual IASSIST conference, May 2013.

[15]

H. R. Lipford and M. E. Zurko. Someone to watch over me. In Proc. NSPW'12, pages 67--76. ACM, 2012.

Digital Library

[16]

M. S. Lund, B. Solhaug, and K. Stølen. Model-Driven Risk Analysis - The CORAS Approach. Springer, 2011.

Digital Library

[17]

Managing information security risk: Organization, mission, and information system view. NIST SP 800--39, National Institute of Standards and Technology, Mar. 2011.

[18]

E. Ostrom. Governing the Commons: The Evolution of Institutions for Collective Action. Cambridge Univ. Press, 1990.

[19]

K. Rannenberg. Multilateral security. A concept and examples for balanced security. In Proc. NSPW'00, pages 151--162. ACM, 2000.

Digital Library

[20]

G. T. Savage, T. W. Nix, C. J. Whitehead, and J. D. Blair. Strategies for assessing and managing organizational stakeholders. The Executive, 5(2):61--75, 1991.

[21]

N. Schumann and R. Mauer. The GESIS data archive for the social sciences: A widely recognised data archive on its way. International Journal of Digital Curation, 8(2):215--222, 2013.

[22]

R. T. Simon and M. E. Zurko. Separation of duty in role-based environments. In Proc. 10th Computer Security Foundations Workshop, pages 183--194, June 1997.

Digital Library

[23]

F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004.

Digital Library

[24]

W. Tolone, G.-J. Ahn, T. Pai, and S.-P. Hong. Access control in collaborative systems. ACM Comput. Surv., 37(1):29--41, Mar. 2005.

Digital Library

[25]

M. E. Zurko and R. T. Simon. User-centered security. In Proc. NSPW'96, pages 27--33. ACM, 1996.

Digital Library

Cited By

Parkin SChua YGroß TViganò L(2022)A cyber-risk framework for coordination of the prevention and preservation of behavioursJournal of Computer Security10.3233/JCS-21004730:3(327-356)Online publication date: 4-Jul-2022
https://dl.acm.org/doi/10.3233/JCS-210047
Islam CBabar MNepal S(2019)A Multi-Vocal Review of Security OrchestrationACM Computing Surveys10.1145/330526852:2(1-45)Online publication date: 30-Apr-2019
https://dl.acm.org/doi/10.1145/3305268
Kocksch LKorn MPoller AWagenknecht S(2018)Caring for IT SecurityProceedings of the ACM on Human-Computer Interaction10.1145/32743612:CSCW(1-20)Online publication date: 1-Nov-2018
https://dl.acm.org/doi/10.1145/3274361
Show More Cited By

Index Terms

An Asset to Security Modeling?: Analyzing Stakeholder Collaborations Instead of Threats to Assets

Recommendations

Threat Attribution and Reasoning for Industrial Control System Asset

Due to the widespread use of the industrial internet of things, the industrial control system has steadily transformed into an intelligent and informational one. To increase the industrial control system's security, based on industrial control system ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
From Attacker Models to Reliable Security
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Attack trees are a popular graphical notation for capturing threats to IT systems. They can be used to describe attacks in terms of attacker goals and attacker actions. By focusing on the viewpoint of a single attacker and on a particular attacker goal ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

September 2014

148 pages

ISBN:9781450330626

DOI:10.1145/2683467

General Chairs:
Konstantin Beznosov
University of British Columbia, Canada
,
Anil Somayaji
Carleton University, Canada
,
Program Chairs:
Tom Longstaff
Johns Hopkins University, USA
,
Paul Van Oorschot
Carleton University, Canada

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 September 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung

Conference

NSPW '14

Sponsor:

ACSA

NSPW '14: New Security Paradigms Workshop

September 15 - 18, 2014

British Columbia, Victoria, Canada

Acceptance Rates

NSPW '14 Paper Acceptance Rate 11 of 32 submissions, 34%;

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
227
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Parkin SChua YGroß TViganò L(2022)A cyber-risk framework for coordination of the prevention and preservation of behavioursJournal of Computer Security10.3233/JCS-21004730:3(327-356)Online publication date: 4-Jul-2022
https://dl.acm.org/doi/10.3233/JCS-210047
Islam CBabar MNepal S(2019)A Multi-Vocal Review of Security OrchestrationACM Computing Surveys10.1145/330526852:2(1-45)Online publication date: 30-Apr-2019
https://dl.acm.org/doi/10.1145/3305268
Kocksch LKorn MPoller AWagenknecht S(2018)Caring for IT SecurityProceedings of the ACM on Human-Computer Interaction10.1145/32743612:CSCW(1-20)Online publication date: 1-Nov-2018
https://dl.acm.org/doi/10.1145/3274361
Turpe S(2017)The Trouble with Security Requirements2017 IEEE 25th International Requirements Engineering Conference (RE)10.1109/RE.2017.13(122-133)Online publication date: Sep-2017
https://doi.org/10.1109/RE.2017.13
Adesemowo Avon Solms RBotha R(2017)ITAOFIR: IT Asset Ontology for Information Risk in Knowledge Economy and BeyondGlobal Security, Safety and Sustainability - The Security Challenges of the Connected World10.1007/978-3-319-51064-4_15(173-187)Online publication date: 4-Jan-2017
https://doi.org/10.1007/978-3-319-51064-4_15
Adesemowo AVon Solms RBotha R(2016)Safeguarding information as an asset: Do we need a redefinition in the knowledge economy and beyond?SA Journal of Information Management10.4102/sajim.v18i1.70618:1Online publication date: 31-May-2016
https://doi.org/10.4102/sajim.v18i1.706

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten