Socio-Technical Aspects of Security Analysis

This thesis seeks to establish a semi-automatic methodology for security analysis when users are considered part of the system. The thesis explores this challenge, which we refer to as ‘socio-technical security analysis’. We consider that a socio-technical vulnerability is the conjunction of a human behaviour, the factors that foster the occurrence of this behaviour, and a system. Therefore, the aim of the thesis is to investigate which human-related factors should be considered in system security, and how to incorporate these identified factors into an analysis framework.
Finding a way to systematically detect, in a system, the socio-technical vulnerabilities that can stem from insecure human behaviours, along with the factors that influence users into engaging in these behaviours is a long journey that we can summarise in three research questions:
1. How can we detect a socio-technical vulnerability in a system?
2. How can we identify in the interactions between a system and its users, the human behaviours that can harm this system’s security?
3. How can we identify the factors that foster human behaviours that are harmful to a system’s security?
A review of works that aim at bringing social sciences findings into security analysis reveals that there is no unified way to do it. Identifying the points where users can harm a system’s security, and clarifying what factors can foster an insecure behaviour is a complex matter. Hypotheses can arise about the usability of the system, aspects pertaining to the user or the organisational context but there is no way to find and test them all. Further, there is currently no way to systematically integrate the results regarding hypotheses we tested in a security analysis. Thus, we identify two objectives related to these methodological challenges that this thesis aims at fulfilling in its contributions:
1. What form should a framework that intends to identify harmful behaviours for security, and to investigate the factors that foster their occurrence take?
2. What form should a semi-automatic, or tool-assisted methodology for the security analysis of socio-technical systems take?
The thesis provides partial answers to the questions. First it defines a methodological framework called STEAL that provides a common ground for an interdisciplinary approach to security analysis. STEAL supports the interaction between computer scientists and social scientists by providing a common reference model to describe a system with its human and non-human components, potential attacks and defences, and the surrounding context. We validate STEAL in a two experimental studies, showing the role of the context and graphical cues in Wi-Fi networks’ security.
Then the thesis complements STEAL with a Root Cause Analysis (RCA) methodology for security inspired from the ones used in safety. This methodology, called S·CREAM aims at being more systematic than the research methods that can be used with STEAL (surveys for instance) and at providing reusable findings for analysing security. To do so, S·CREAM provides a retrospective analysis to identify the factors that can explain the success of past attacks and a methodology to compile these factors in a form that allows for the consideration of their potential effects on a system’s security, given an attacker Threat Model. The thesis also illustrates how we developed a tool—the S·CREAM assistant— that supports the methodology with an extensible knowledge base and computer-supported reasoning.