the social side of security requirements, regulations, and ...technical: electronic health records...
TRANSCRIPT
The Social Side of SecurityRequirements, Regulations, and Breaches
Dr Ozgur Kafalı
LecturerSchool of Computing
University of Kent
20 March 2018
INTRODUCTION
Research Background
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 1 / 28
INTRODUCTION
Research Background
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 2 / 28
INTRODUCTION
Hard Problems
Resilient architecturesScalability & composabilityMetricsHuman behaviourPolicy and governance
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 3 / 28
INTRODUCTION
Research Interests
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 4 / 28
INTRODUCTION
Glossary
Sociotechnical systemsRegulations and normsAccountabilityRole-based access controlOntologies
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 5 / 28
BREACHES
Security-Critical Data
https://techgeek365.com/how-to-protect-your-data-when-shopping-online/
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 6 / 28
BREACHES
Alternative Ways to Use your Card
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 7 / 28
BREACHES
Oops, They Did It Again
Nurses peek celebrity medical records
http://www.avant.org.au/news/20160622-improper-access-of-medical-records/
http://articles.latimes.com/2008/mar/15/local/me-britney15
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 8 / 28
MOTIVATION
Common Factor in Breaches
Mostly humans
More broadly: Sociotechnical and human factors
Corroborated by reports fromGovernmentsOrganisationsAcademic studies
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 9 / 28
MOTIVATION
Common Factor in Breaches
Mostly humansMore broadly: Sociotechnical and human factors
Corroborated by reports fromGovernmentsOrganisationsAcademic studies
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 9 / 28
MOTIVATION
Common Factor in Breaches
Mostly humansMore broadly: Sociotechnical and human factors
Corroborated by reports fromGovernmentsOrganisationsAcademic studies
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 9 / 28
MOTIVATION
Sociotechnical Systems (STS)
STS: Any modern ICT systemTechnical: Computers and software componentsSocial: People and interactions
Consider a hospital environmentTechnical: Electronic health records (EHR) softwarePeople: Doctors, nurses, patientsInteractions: Doctor consulting a colleague
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 10 / 28
MOTIVATION
Sociotechnical Systems (STS)
STS: Any modern ICT systemTechnical: Computers and software componentsSocial: People and interactions
Consider a hospital environmentTechnical: Electronic health records (EHR) softwarePeople: Doctors, nurses, patientsInteractions: Doctor consulting a colleague
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 10 / 28
MOTIVATION
STS Conception
Requirements
Stakeholders Agent . . . Agent
AssumptionsMechanisms
Norms
Functional and ControlComponents
interaction
mechanismsyield
normsregulate
identify
specify
Social TierTechnical Tier
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 11 / 28
REGULATIONS
Regulatory Norms
Credit to my colleague Munindar Singh
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 12 / 28
REGULATIONS
Security Requirements and Regulations
Correspond to “authorizations”, “commitments”, and “prohibitions”
Authorization: A doctor is authorized to access a patient’s EHR ifthe patient gives consent
Commitment: The hospital is committed to keeping patients’ EHRsecure
Prohibition: A doctor is prohibited from disclosing a patient’sprotected health information (PHI) to outsiders
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 13 / 28
REGULATIONS
Challenges
Elicitation: Extracting functional requirements is hard, extractingsecurity and privacy requirements is (almost) impossibleHybrid approaches for extraction of requirements from regulationsand breaches
Human intelligence: CrowdsourcingMachine intelligence: Natural language processing (NLP)
Ambiguity
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 14 / 28
REGULATIONS
Challenges
Elicitation: Extracting functional requirements is hard, extractingsecurity and privacy requirements is (almost) impossibleHybrid approaches for extraction of requirements from regulationsand breaches
Human intelligence: CrowdsourcingMachine intelligence: Natural language processing (NLP)
Ambiguity
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 14 / 28
AI FOR SECURITY & PRIVACY
Need for Intelligence: Breaches vs Bridges
Getty Images
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 15 / 28
AI FOR SECURITY & PRIVACY
Core Research Questions
RQ1 – Verification: How can we verify an STS specificationagainst the requirements of its stakeholders?
RQ2 – Design: How can we design a secure and privacy-awareSTS with respect to tradeoffs and conflicts among itsrequirements?
RQ3 – Extraction: How can we identify potential malicious andaccidental misuses, and associated requirements of an STS?
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 16 / 28
AI FOR SECURITY & PRIVACY
RQ1: Requirements Verification
S0c: conditionalp: conditional
Kafalı et al. Revani: Revising and Verifying Normative Specifications for Privacy. IEEE Intelligent Systems, 31(5):8-15, 2016
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 17 / 28
AI FOR SECURITY & PRIVACY
RQ1: Requirements Verification
S0c: conditionalp: conditional
Si
c: detachedp: detached
c: violatedp: satisfied
...c: satisfiedp: violated
Kafalı et al. Revani: Revising and Verifying Normative Specifications for Privacy. IEEE Intelligent Systems, 31(5):8-15, 2016
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 17 / 28
AI FOR SECURITY & PRIVACY
RQ1: Requirements Verification
S0c: conditionalp: conditional
Si
c: detachedp: detached
c: violatedp: satisfied
...c: satisfiedp: violated
Sj
c: satisfiedp: satisfied
...
r: unsatisfied
...
Kafalı et al. Revani: Revising and Verifying Normative Specifications for Privacy. IEEE Intelligent Systems, 31(5):8-15, 2016
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 17 / 28
AI FOR SECURITY & PRIVACY
RQ1: Requirements Verification
S0c: conditionalp: conditional
Si
c: detachedp: detached
c: violatedp: satisfied
...c: satisfiedp: violated
Sj
c: satisfiedp: satisfied
...
r: unsatisfied
...
Sk
c: satisfiedp: satisfied
r: satisfied
...
r: satisfied
Kafalı et al. Revani: Revising and Verifying Normative Specifications for Privacy. IEEE Intelligent Systems, 31(5):8-15, 2016
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 17 / 28
AI FOR SECURITY & PRIVACY
RQ2: STS Design with Tradeoffs
Regiment (technical) or regulate (social)?Functionality or security?Comply with multiple regulations
Design patternsRefinement based on changing requirements
Kafalı et al. Kont: Computing Tradeoffs in Normative Multiagent Systems. AAAI Conference on Artificial Intelligence, pages3006–3012, 2017
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 18 / 28
AI FOR SECURITY & PRIVACY
RQ3: Requirements Extraction
Pre-deploymentArtifacts
Documentation...
Regulations
Post-deploymentArtifacts
Breach ReportsConnection
Normative formalization to connect regulations and breachesOntology of breach conceptsSemantic similarity metric to identify gaps or holes
Kafalı et al. How Good is a Security Policy against Real Breaches? A HIPAA Case Study. Proceedings of the 39th InternationalConference on Software Engineering (ICSE), pages 530-540, 2017
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 19 / 28
AI FOR SECURITY & PRIVACY
Breach Analysis
HHS breach incident: In 2010, an employee in a covered entityforgot to erase data contained on disposed photocopiers’ harddrives, which led to disclosure of patient records.
HIPAA clause 45 CFR 164.310–(d)(2)(i): “A covered entity orbusiness associate must implement policies and procedures toaddress the final disposition of electronic protected healthinformation, and the hardware or electronic media on which it isstored.”
HHS: US Department of Health and Human ServicesHIPAA: US Health Insurance Portability and Accountability Act
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 20 / 28
AI FOR SECURITY & PRIVACY
Breach Analysis
HHS breach incident: In 2010, an employee in a covered entityforgot to erase data contained on disposed photocopiers’ harddrives, which led to disclosure of patient records.
HIPAA clause 45 CFR 164.310–(d)(2)(i): “A covered entity orbusiness associate must implement policies and procedures toaddress the final disposition of electronic protected healthinformation, and the hardware or electronic media on which it isstored.”
HHS: US Department of Health and Human ServicesHIPAA: US Health Insurance Portability and Accountability Act
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 20 / 28
AI FOR SECURITY & PRIVACY
Breach Ontology
Breach
Unintentionaldisclosure
Outsiderattack Insider attack
Share datawith colleague
Share datawith family
Malware Phishing Share datawith outsider
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 21 / 28
AI FOR SECURITY & PRIVACY
Breach Ontology
Breach
Unintentionaldisclosure
Outsiderattack Insider attack
Share datawith colleague
Share datawith family
Malware Phishing Share datawith outsider
Similar: same parent
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 21 / 28
AI FOR SECURITY & PRIVACY
Breach Ontology
Breach
Unintentionaldisclosure
Outsiderattack Insider attack
Share datawith colleague
Share datawith family
Malware Phishing Share datawith outsider
Not similar: distant
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 21 / 28
AI FOR SECURITY & PRIVACY
Breach Ontology
Breach
Unintentionaldisclosure
Outsiderattack Insider attack
Share datawith colleague
Share datawith family
Malware Phishing Share datawith outsider
Distance = Similarity?
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 21 / 28
AI FOR SECURITY & PRIVACY
Breach Ontology
Breach
Unintentionaldisclosure
Outsiderattack Insider attack
Share datawith colleague
Share datawith family
hasActor:Physician
Malware PhishinghasActor:Adversary
Share datawith outsider
hasActor:Employee
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 21 / 28
AI FOR SECURITY & PRIVACY
Methodology
RepresentBreach
IdentifyPolicy
RepresentPolicy
ResolveDisagreements
SemanticReasoner
CoverageMetric
BreachOntology
PolicyCoverage
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 22 / 28
AI FOR SECURITY & PRIVACY
Methodology
RepresentBreach
IdentifyPolicy
RepresentPolicy
ResolveDisagreements
SemanticReasoner
CoverageMetric
BreachOntology
PolicyCoverage
+
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 22 / 28
AI FOR SECURITY & PRIVACY
Methodology
RepresentBreach
IdentifyPolicy
RepresentPolicy
ResolveDisagreements
SemanticReasoner
CoverageMetric
BreachOntology
PolicyCoverage
+
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 22 / 28
AI FOR SECURITY & PRIVACY
Methodology
RepresentBreach
IdentifyPolicy
RepresentPolicy
ResolveDisagreements
SemanticReasoner
CoverageMetric
BreachOntology
PolicyCoverage
+
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 22 / 28
AI FOR SECURITY & PRIVACY
Methodology
RepresentBreach
IdentifyPolicy
RepresentPolicy
ResolveDisagreements
SemanticReasoner
CoverageMetric
BreachOntology
PolicyCoverage
+ +
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 22 / 28
AI FOR SECURITY & PRIVACY
HHS Breach Reports
Notice to the Secretary of HHS breach of unsecured protected health informationaffecting 500 or more individuals: https://ocrportal.hhs.gov/ocr/breach/
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 23 / 28
AI FOR SECURITY & PRIVACY
How Good is HIPAA against Real Breaches?
Overall Hacking Theft Loss Unauthorizeddisclosure
Improperdisposal
0
50
10065 78 87
40 32
83
Cov
erag
e%
56% malicious misuses and 44% accidental misusesBetter coverage for malicious misuses than accidental misuses
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 24 / 28
FUTURE WORK
Natural Language Processing
Breach description: Two laptop computers with questionableencryption were stolen from the Covered Entity (CE)’s premises.
Follow-up action: The CE reported the theft to law enforcement.Follow-up action: The CE worked with the local police to recoverthe laptops.Follow-up action: The CE developed and implemented newpolicies and procedures to comply with the HIPAA Security Rule.Follow-up action: The CE placed an accounting of disclosures inthe medical records of all affected individuals.
Impact to practice: Standards for breach reporting
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 25 / 28
FUTURE WORK
User Expectations
Existing design efforts divided between:Secure software design disregards user expectationsUsable security and privacy research relies on heuristics aboutuser attitudes (e.g., collected via interviews, surveys)
Develop unified representations of user expectations and softwareimplementationIdentify discrepancies between user expectations and softwareimplementation
Implications to practice: Help IoT device developers, Android appdevelopers
Kafalı et al. Nane: Identifying Misuse Cases Using Temporal Norm Enactments. Proceedings of the 20th InternationalRequirements Engineering Conference (RE), pages 136-145, 2016
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 26 / 28
FUTURE WORK
Digital Forensics and Accountability
Logging: Adequate vs excessive
Computational models of accountability
Improved threat modelling (e.g. attack/defense trees)AI techniques such as intention recognitionPrioritisation of misuse via interactive game-playing
Kafalı and Singh. Improving Cybersecurity: User Accountability and Sociotechnical Systems.https://www.computer.org/web/computingnow/archive/improving-cybersecurity-april-2017-introduction
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 27 / 28
CONCLUSIONS
Collaborators
Dr Munindar Singh – North Carolina State University, US
Dr Laurie Williams – North Carolina State University, US
Dr Kostas Stathis – Royal Holloway University of London, UK
Dr Alberto Paccanaro – Royal Holloway University of London, UK
Dr Francesca Toni – Imperial College London, UK
Dr Akın Gunay – Lancaster University, UK
Dr Paolo Torroni – University of Bologna, Italy
Dr Pınar Yolum – Utrecht University, Netherlands
Dr Bedour Alrayes – King Saud University, Saudi Arabia
Dr Ozgur Kafalı The Social Side of Security 20 March 2018 28 / 28