I’ve had a few security modelling papers published recently:

Systems Security Policy

Two of the papers are about the systems modelling approach I’ve been working on with David Pym. The first, Modelling and simulating systems security policy, I presented at the Simutools 2015 conference in Athens, Greece. The second, Improving Security Policy Decisions with Models, was published in IEEE Security and Privacy magazine and presents a higher-level, more accessible version of the work.

In the papers, we explain the framework and methodology we have developed for creating models of systems and their security policy. Security managers must design and implement security policies that successfully meet the requirements of their organisation. However, this can be challenging as it can be very hard to predict the consequences of security policy decisions. The goal of our work is to help security managers make better decisions by allowing them to explore, using models, the consequences of different policy choices.

In order to be able to do this, the models must be able to capture the logical and physical structure of the systems, the behaviour of agents within the system and the choices they make, as well as the policy itself. Additionally, we need to be able to represent the security manager’s preferences about outcomes in order to understand how well a particular policy performs.

Our methodology, which is based on mathematical systems modelling and incorporates economics and utility theory, allows us to do just this. It is also compositional, meaning that large and complex systems can be modelled by first building smaller, less complex models of parts of the system and then combining them together. This makes the task of creating models much easier, and also allows the interactions of policies on different parts of the system to be explored.

Preprint PDFs: Simutools and Security and Privacy.

Optimizing Time Allocation for Network Defence

The final paper, Optimizing time allocation for network defence, has just been published in the new, open-access Journal of Cybersecurity. This is joint work with Andrew Fielder and in the paper we seek to find the best way a system administrator can allocate time between different network security tasks and other, non-security tasks.

We start with notion that, in many cases, administrators have many other tasks they need to fulfill in addition to maintaining the security of computer networks. Concentrating solely on security tasks and neglecting other tasks means they go unfinished, which is potentially costly for a business. On the other hand, neglecting security tasks can result in expensive losses if systems are compromised. The optimal way to divide time between tasks depends on the current state of the network: if everything seems fine and there are no known vulnerabilities in your software, it is probably better to spend time on non-security tasks; if there is a known vulnerability and no patch yet released, spending more time monitoring the network is probably beneficial; if a system has been compromised, it is probably worth spending the time to restore it to a clean state.

In the paper, we build a model that takes the layout of the network, the rates at which vulnerabilities occur, the costs associated with different actions, the costs of neglecting non-security tasks, and the costs of system compromise. Then, using game theory and dynamic programming, we calculate a policy that gives, for all possible beliefs about the network state, what the optimal allocation of time between different tasks is.

The paper is freely available here.