CfP: Workshop on Agile Secure Software Development @ ARES’15

We are co-organizing a workshop on agile secure software development in conjunction with the ARES’15 conference. Please find the full call for papers on the workshop website, The conference takes place in Toulouse this year.

Important dates:

Submission Deadline: April 15, 2015
Author Notification: May 11, 2015
Proceedings version: June 8, 2015
Conference: August 24-28, 2015

The Social Component of Risk Assessment

Earlier this year Andreas presented at the New Security Paradigms Workshop our paper: An Asset to Security Modeling? Analyzing Stakeholder Collaborations Instead of Threats to Assets (DOI: 10.1145/2683467.2683474). During our work with the GESIS Secure Data Center team it emerged that the common way we use to do risk assessment may be flawed. In this paper we discuss what is missing and how to analyze collaboration networks to understand consequences of security incidents.

Risk assessment, as described for example in ISO 31000, is a systematic process that prepares decisions. The goal of this process is to find appropriate risk responses and treatments. A risks can be accepted or even increased (if doing so entails an opportunity); it can be avoided, shared or transferred; or the risk can be mitigated by reducing its likelihood or impact. As a prerequisite for informed decisions one goes through the risk assessment process, during which one identifies, analyzes, and evaluates pertinent risks. The figure below, a more elaborate version of which can be found in ISO 31000, illustrates this process chain.

A 4-step process: (1) risk identification; (2) risk analysis; (3) risk evaluation; (4) risk treatment. Risk assessment comprises steps 1-3.

Stakeholders participate in this process as a source of information, knowing their respective business or business function and being able to assess likelihoods and impacts. This standard approach to risk assessment has the premise that risk treatments are variable and the objective is to find optimal values for them.

In our paper we propose a complementary approach. Our premise: Stakeholders collaborate in complicated networks for mutual benefit. Risk and incident responses are to a large degree determined by their collaboration relationships. These pre-determined responses are not to be defined as a result of risk assessment, they rather constitute a factor to be considered in risk analysis and evaluation. The figure below is a simplified version of Figure 8 in our paper:

SDC Stakeholder Network

The Secure Data Center serves its users, which are part of a larger research community; the SDC also needs its users as serving them is its pupose. Beyond the individual user, the research community at large benefits from SDC services and influences their acceptance. Primary investigators provide data; they benefit from wider recognition of their work through secondary analyses and fulfil obligations by archiving their data. Survey participants are the source of all data. Everyone wants to preserve their willingness to participate in studies.

The need for an extension of risk assessment methodologies became apparent when we reviewed and discussed with the participants of our study the threat models they had produced. They expressed various concerns about the stakeholders involved and their possible reactions to security incidents. Although traditional approaches to risk assessment include the analysis of consequences, they fail to provide tools for this analysis. In the security domain in particular it is often assumed that consequences can be evlauated by identifying assets and assigning some monetsary value to each of them. According to our experience it’s more complicated.

Read the paper on our website or in the ACM digital library:

Andreas Poller; Sven Türpe; Katharina Kinder-Kurlanda: An Asset to Security Modeling? Analyzing Stakeholder Collaborations Instead of Threats to Assets. New Security Paradigms Workshop (NSPW’14), Victoria, BC, September 15-18, 2014. DOI: 10.1145/2683467.2683474 [BibTeX]

Discussing threat models with developers and application experts

On July 24, we met with the GESIS remote access team for discussing the threat models they created individually in the 4 weeks before. It was interesting for us to see how different perspectives on security problems of GESIS‘ Secure Data Center merged. However, some opinions were divided about what shall be tackled first by the team. While protecting GESIS‘ reputation by preserving privacy of data subjects in provided microdata, protecting GESIS‘ IT infrastructure plays also a crucial role for the software development project.

Group discussion
Continue reading »

Finalizing the interview phase

Since mid-June participants in the ESSE project have been using several security requirement elicitation tools, amongst them a mind map tool and the Microsoft SDL tool, in order to define security requirements for a remote access system for the Secure Data Center (SDC). The SDC provides researchers with the opportunity for use of sensitive research data, which is subject to special access requirements and restrictions. A well-thought out remote access could considerably reduce travel costs while not compromising on security. Participants in the project come from various areas within GESIS and have very diverse perspectives on the planned system – which resulted in a variety of interesting models and results. They have been explaining to us in detail their thought processes and modeling activities in the context of the expert interviews which we have been conducting over the past weeks. We have now almost finished interviewing and are looking forward to the next step in the process – a group discussion later this month.

Getting started

GESIS and SIT are now officially collaborating to evaluate security requirement modeling tools – while defining security requirements for the Secure Data Center remote access. The cooperation contract has been signed by both parties and we are looking forward to an exciting year of interdisciplinary, hands-on research!