Leveraging the Multi-Stakeholder Nature of Cyber Security
Lead Research Organisation:
University of Nottingham
Department Name: School of Computer Science
Abstract
Cyber Security (CyS) is a challenging, distributed, multi-stakeholder problem. It is distributed in the sense that the expertise to comprehensively assess the level of security of a given IT system is commonly not all available in one location; e.g. detail on the IT components within a company is available within that company, while detail on operating system software vulnerability may be available to the OS manufacturer and further expert insight may be available to public security agencies, such as CESG. It is a multi-stakeholder problem because a number of human stakeholders, from IT designers to users with varying levels of expertise, need to effectively communicate and work together in order to deliver systems with an appropriate level of CyS assurance.
This interdisciplinary project brings together leading academic experts from the University of Nottingham, UK and Carnegie Mellon University, USA, with a strongly integrated project partner: CESG - the UK's National Technical Authority for Information Assurance. The project is designed to leverage the distributed, multiple human stakeholder nature of CyS by developing a novel framework with the necessary scientific underpinning to improve user access to user-tailored CyS information, operationalised as a cutting-edge, data-driven Online CYber Security decision support System (OCYSS). This approach id designed to directly address an acute shortage of availability and access to highly qualified CyS experts by both small-to-large scale users from government to industry.
The role of OCYSS is to effectively and efficiently integrate expert and user inputs, capturing commonly uncertain vulnerability levels of individual components as well as vulnerabilities arising from the interaction/combination of these components, to efficiently deliver appropriate, balanced, informed and up-to-date threat analysis and CyS decision support to users.
Importantly, the OCYSS framework:
- Addresses the limited availability of CyS experts by comprehensively capturing and aggregating their insight and expertise to assess the vulnerability, including associated levels of uncertainty, of individual system components (e.g. intrusion detection, encryption) and their interactions (e.g. SSL 3.0 and weak password). This information is captured centrally by OCYSS and updated regularly.
- Avoids delays in threat analysis and potential mitigation by providing a direct pathway for newly discovered component vulnerabilities & component interaction vulnerabilities (and associated uncertainty) to be rapidly put forward, incl. by manufacturers such as Oracle and third party organisations such as Symantec.
- Is designed to deliver user-tailored, comprehensive and up-to-date threat analysis and decision support which is continuously updated as new information becomes available. OCYSS two-stage outputs capture uncertainty in A) the threat analysis inputs (e.g. uncertainty around a component vulnerability over time and by different experts) and B) in intuitive benefit-cost analysis on threat mitigation in response to asset ranking by users (e.g. a low value asset may not warrant a high investment to address a low threat).
Going beyond the scope of a standard research project, this project is designed to not only deliver cutting-edge science, developing key advances in data science and HCI, but to also deliver a real-world, open source prototype of the OCYSS framework. This enables the project to conduct an exceptional level of evaluation and tailoring to real-world CyS challenges, including the deployment of OCYSS in real-world contexts such as government departments advised by CESG. Further, through this approach, the project is able to deliver both open source algorithms and a substantial open-source software platform prototype, facilitating the academic reproduction of results, as well as substantially boosting the potential of commercial up-take of the project outcomes.
This interdisciplinary project brings together leading academic experts from the University of Nottingham, UK and Carnegie Mellon University, USA, with a strongly integrated project partner: CESG - the UK's National Technical Authority for Information Assurance. The project is designed to leverage the distributed, multiple human stakeholder nature of CyS by developing a novel framework with the necessary scientific underpinning to improve user access to user-tailored CyS information, operationalised as a cutting-edge, data-driven Online CYber Security decision support System (OCYSS). This approach id designed to directly address an acute shortage of availability and access to highly qualified CyS experts by both small-to-large scale users from government to industry.
The role of OCYSS is to effectively and efficiently integrate expert and user inputs, capturing commonly uncertain vulnerability levels of individual components as well as vulnerabilities arising from the interaction/combination of these components, to efficiently deliver appropriate, balanced, informed and up-to-date threat analysis and CyS decision support to users.
Importantly, the OCYSS framework:
- Addresses the limited availability of CyS experts by comprehensively capturing and aggregating their insight and expertise to assess the vulnerability, including associated levels of uncertainty, of individual system components (e.g. intrusion detection, encryption) and their interactions (e.g. SSL 3.0 and weak password). This information is captured centrally by OCYSS and updated regularly.
- Avoids delays in threat analysis and potential mitigation by providing a direct pathway for newly discovered component vulnerabilities & component interaction vulnerabilities (and associated uncertainty) to be rapidly put forward, incl. by manufacturers such as Oracle and third party organisations such as Symantec.
- Is designed to deliver user-tailored, comprehensive and up-to-date threat analysis and decision support which is continuously updated as new information becomes available. OCYSS two-stage outputs capture uncertainty in A) the threat analysis inputs (e.g. uncertainty around a component vulnerability over time and by different experts) and B) in intuitive benefit-cost analysis on threat mitigation in response to asset ranking by users (e.g. a low value asset may not warrant a high investment to address a low threat).
Going beyond the scope of a standard research project, this project is designed to not only deliver cutting-edge science, developing key advances in data science and HCI, but to also deliver a real-world, open source prototype of the OCYSS framework. This enables the project to conduct an exceptional level of evaluation and tailoring to real-world CyS challenges, including the deployment of OCYSS in real-world contexts such as government departments advised by CESG. Further, through this approach, the project is able to deliver both open source algorithms and a substantial open-source software platform prototype, facilitating the academic reproduction of results, as well as substantially boosting the potential of commercial up-take of the project outcomes.
Planned Impact
The proposed research will directly benefit UK stakeholders in the public and commercial sectors which are dependent on the UK's ability to perform informed, timely and accurate cyber security (CyS) assessments and decisions. Through enabling user-specific, comprehensive, up-to-date and actionable decision support, incl. dynamically updated cost-benefit analysis highlighting priority areas of investment to improve security, the project is designed to deliver clear benefits in CyS and thus UK IT system resilience. The latter is of direct benefits to the UK's economy and wider population. At an international level, insights gained will be applicable to supporting CyS efforts beyond the UK, in the US and world-wide.
As highlighted by CESG, the UK Government's National Technical Authority for Information Assurance, the work proposed addresses urgent challenges in CyS around the lack of availability and access to highly qualified CyS experts by large, medium and small-size users. This prevents the timely cyber-security assessments of users' IT systems, exposing them, their respective users and the wider UK public to cyber-attack incl. the theft of both commercial and personal data. The project is designed to leverage the distributed multi-stakeholder nature of CyS by introducing a framework (and required scientific underpinnings) which combines the expertise of CyS experts and trusted third parties (captured regularly) with the user-provided information on user IT systems, in order to deliver up-to-date, comprehensively informed, user-tailored CyS assessments and decision support. The project goes beyond the creation of an academic framework - producing a real world, open-source software prototype which will enable real world deployment, evaluation and facilitate both commercial up-take and academic replication.
Through working closely with the international partner - Carnegie Mellon University (CMU), and CESG, the project is in a unique position to deliver real impact that goes beyond academic output and real world tools - but that will lay the foundations for a novel sector in the UK CyS industry which provides CyS decision support by aggregating multiple, incl. human and digital sources.
Specifically:
- By working closely with and leveraging strong support from CESG, the project is designed to deliver the foundations for a new comprehensive approach to CyS assessment which combines the knowledge of the UK's world-leading CyS experts with cutting-edge interdisciplinary data, HCI, and Human Factors science for data elicitation, fusion and communication techniques in order to provide a step-change in the availability and quality of CyS decision support.
- Through strong collaboration with CMU, a world leader in CyS, the project provides a pathway for cross-learning between the UK and the US as well as creating a platform for extended networking both for the project partners but also for the wider UK CyS sector. For example, the project includes two outward facing workshops designed specifically for this purpose.
Beyond impact related directly to CyS assessments, the methods created during this research will also deliver impact through informing analysis in other contexts where the systematic fusion of generally qualitative human insight with often uncertain quantitative data is vital, such as environmental planning and market research.
The proposed research directly addresses the Partnership for Conflict, Crime and Security Research (PaCCS) RCUK priority area of CyS. No funding in EPSRC's portfolio addresses the essential research at the interface of data-science, modelling of uncertain data and HCI / Human Factors as the proposed project. Finally, as an underpinning aspect of the Digital Economy (DE), the combination of human insight & expertise with smart data processing and representation is directly relevant to the DE and ICT areas in HCI, AI Technologies, Graphics and Visualisation and Information Systems.
As highlighted by CESG, the UK Government's National Technical Authority for Information Assurance, the work proposed addresses urgent challenges in CyS around the lack of availability and access to highly qualified CyS experts by large, medium and small-size users. This prevents the timely cyber-security assessments of users' IT systems, exposing them, their respective users and the wider UK public to cyber-attack incl. the theft of both commercial and personal data. The project is designed to leverage the distributed multi-stakeholder nature of CyS by introducing a framework (and required scientific underpinnings) which combines the expertise of CyS experts and trusted third parties (captured regularly) with the user-provided information on user IT systems, in order to deliver up-to-date, comprehensively informed, user-tailored CyS assessments and decision support. The project goes beyond the creation of an academic framework - producing a real world, open-source software prototype which will enable real world deployment, evaluation and facilitate both commercial up-take and academic replication.
Through working closely with the international partner - Carnegie Mellon University (CMU), and CESG, the project is in a unique position to deliver real impact that goes beyond academic output and real world tools - but that will lay the foundations for a novel sector in the UK CyS industry which provides CyS decision support by aggregating multiple, incl. human and digital sources.
Specifically:
- By working closely with and leveraging strong support from CESG, the project is designed to deliver the foundations for a new comprehensive approach to CyS assessment which combines the knowledge of the UK's world-leading CyS experts with cutting-edge interdisciplinary data, HCI, and Human Factors science for data elicitation, fusion and communication techniques in order to provide a step-change in the availability and quality of CyS decision support.
- Through strong collaboration with CMU, a world leader in CyS, the project provides a pathway for cross-learning between the UK and the US as well as creating a platform for extended networking both for the project partners but also for the wider UK CyS sector. For example, the project includes two outward facing workshops designed specifically for this purpose.
Beyond impact related directly to CyS assessments, the methods created during this research will also deliver impact through informing analysis in other contexts where the systematic fusion of generally qualitative human insight with often uncertain quantitative data is vital, such as environmental planning and market research.
The proposed research directly addresses the Partnership for Conflict, Crime and Security Research (PaCCS) RCUK priority area of CyS. No funding in EPSRC's portfolio addresses the essential research at the interface of data-science, modelling of uncertain data and HCI / Human Factors as the proposed project. Finally, as an underpinning aspect of the Digital Economy (DE), the combination of human insight & expertise with smart data processing and representation is directly relevant to the DE and ICT areas in HCI, AI Technologies, Graphics and Visualisation and Information Systems.
Publications
Ellerby Z
(2019)
Probability Matching on a Simple Simulated Foraging Task: The Effects of Reward Persistence and Accumulation on Choice Behavior
in Advances in Cognitive Psychology
McCulloch J
(2018)
SyFSeL: Generating Synthetic Fuzzy Sets Made Simple
Pekaslan D
(2018)
Noise Parameter Estimation for Non-Singleton Fuzzy Logic Systems
Razak T
(2017)
Interpretability indices for hierarchical fuzzy systems
Description | We have found evidence that modelling interval-valued (component) data enables a better approximation of overall vulnerability assessments. This is important, as it for example shows that in a cyber security context, there is value in capturing the uncertainty associated with the vulnerability of components in an attack vector - in order to then better predict the vulnerability of attack vectors (containing said components), including associated uncertainty. We have shown that people are proficient (without training) in providing interval-valued responses to communicate range and uncertainty, in turn highlighting the value of capturing such information for example when gathering data through questionnaires. Initial findings indicate that people are better at estimating conjunctive sets (e.g. true ranges, such as the numbers between 2 and 6), than disjunctive sets (e.g. confidence intervals). If confirmed, this is important, as it may be possible to frame information using conjunctive sets, resulting in improved data capture and communication. Further, the research has uncovered that similar mechanisms for eliciting, modelling and analysing vague and uncertain information have considerable potential in other domains where human perceptions and broader input are important, ranging from the design of fast-moving-consumer-goods, to marketing and healthcare. |
Exploitation Route | Many of the findings are generic and can be applied to a variety of contexts where vague and/or uncertain data can be captured, modelled and analysed, including for AI based decision support. This is for example applicable in polling, marketing, manufacturing, healthcare and cyber security. |
Sectors | Communities and Social Services/Policy Digital/Communication/Information Technologies (including Software) Financial Services and Management Consultancy Government Democracy and Justice Manufacturing including Industrial Biotechology Security and Diplomacy |
URL | https://www.lucidresearch.org/decsys.html |
Description | They have contributed to the design of the open-access platform DECSYS, allowing questionnaire design and administation with non-standard response modes, such as the interval-valued response mode, in turn affording efficient and effective elicitation of response uncertainty. |
First Year Of Impact | 2021 |
Sector | Agriculture, Food and Drink,Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Manufacturing, including Industrial Biotechology,Retail,Security and Diplomacy |
Impact Types | Societal Economic Policy & public services |
Title | Ellipse-based response-format to capture interval-valued responses. |
Description | This is a novel survey response-format. It allows respondents to quickly and easily provide interval-valued responses, to indicate uncertainty, vagueness or inherent range in their responses. Although it is already possible to capture interval-valued responses in a number of ways, this novel response-format allows provision of these more data-rich responses in a substantially more cohesive and intuitive manner. Specifically, respondents draw an ellipse, of variable size, that encompasses the full portion of the response-scale that they feel represents an appropriate response. Empirical assessment of the added-value and usability of this response-format is currently being conducted. This is being done in parallel with development of practical methods to capture these responses in digital format, taking advantage of the recent proliferation of touch-screen (and particularly stylus-based) devices. We believe that making software available to allow easy uptake and application of this response-format will facilitate its future use across a broad variety of domains, which each stand to benefit from capture of the additional information provided by interval-valued responses. |
Type Of Material | Physiological assessment or outcome measure |
Year Produced | 2019 |
Provided To Others? | Yes |
Impact | Initial publication of this method is in progress (FUZZ-IEEE 2019). Full open-source release of the accompanying software is due later this year. |
URL | http://www.lucidresearch.org/software.html |
Description | Collaboration with Computer and Decision Sciences at Carnegie Mellon University, USA |
Organisation | Carnegie Mellon University |
Country | United States |
Sector | Academic/University |
PI Contribution | Together with colleagues in both the Departments of Computer and of Decision Sciences at CMU, we have engaged in joint research advancing the capture and modelling of uncertainty in data, in particular within the context of cyber security. From the UK, we have led the work, including on publications and organised workshops, including at CMU. Further, we have jointly developed funding proposals to UK funders such as the Royal Society. |
Collaborator Contribution | Partners have spend time on extended visits (multiple weeks) for research exchange in the UK and contributed both to research design, study execution and publication development. |
Impact | All jointly authored outputs. |
Start Year | 2018 |
Title | DECSYS - Discrete and Ellipse-based response Capture SYStem. |
Description | This software enables the creation and administration of digital surveys that elicit both conventional and interval-valued responses (using a novel ellipse-based response format). DECSYS incorporates a range of features, and is designed to maximise versatility for experimenters and usability for participants. Surveys can be conducted either locally or online, and results easily exported. The key component of DECSYS is that it provides a vehicle for digital capture of survey responses using an ellipse-based response-format. DECSYS takes advantage of the recent proliferation of touch-screen (and particularly stylus-based) devices to do so in a fast, cohesive and intuitive manner. The ellipse-based format allows respondents to quickly and easily provide interval-valued responses, so as to indicate uncertainty, vagueness or inherent range in their responses. Specifically, respondents draw an ellipse, of variable size, that encompasses the full portion of the response-scale that they believe represents an appropriate response. Empirical assessment of the added-value and usability of this response-format is also currently being conducted. |
Type Of Technology | Webtool/Application |
Year Produced | 2019 |
Open Source License? | Yes |
Impact | This software is due for open-source release in the summer (2019). We believe that its provision will facilitate uptake and application of the ellipse-based response-format across a broad variety of domains, which each stand to benefit from capture of the additional information provided by interval-valued responses. |
URL | http://www.lucidresearch.org/software.html |
Title | DECSYS major feature update (Prolific integration) |
Description | DECSYS - 'Discrete and Ellipse-based response Capture SYStem' - enables creation and administration of digital surveys that elicit both conventional and interval-valued responses (using an ellipse-based response format). This output relates to a substantial feature update to the software, permitting integration with the 'Prolific' online sampling service (cf. Palan & Schitter, 2018). This includes automatic direction of study participants from Prolific to DECSYS study sub-surveys (i.e., randomised condition allocation), recording of participants' pseudonymous Prolific IDs, as well as auto-redirection to Prolific with survey completion code for confirmation. This greatly facilitates online sampling at scale for interval-valued surveys, including for representative samples (using the Prolific automatic sample stratification tool). DECSYS incorporates a range of features, and is designed to maximise versatility for experimenters and usability for participants. Surveys can be conducted either locally or online, and results easily exported. The key component of DECSYS is that it provides a vehicle for efficient digital capture of interval-valued survey responses using an ellipse-based response mode. DECSYS takes advantage of the recent proliferation of touch-screen devices to do so in a fast, cohesive and intuitive manner. The ellipse response mode allows respondents to quickly and easily provide interval-valued responses, so as to indicate uncertainty, vagueness, or inherent range in their responses. |
Type Of Technology | New/Improved Technique/Technology |
Year Produced | 2021 |
Open Source License? | Yes |
Impact | At least two research studies have been conducted using this new feature. This permitted recruitment of stratified samples online, substantially improving sample representativeness in both cases. |
URL | https://www.lucidresearch.org/decsys.html |
Description | DECSYS workshop at Carnegie Mellon University |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Postgraduate students |
Results and Impact | This was a presentation and workshop about the DECSYS survey software, at Carnegie Mellon University. This was attended by postgraduate students and academic staff from multiple departments, and involved a presentation, demonstration and opportunity for use of the DECSYS software. Following the visit, we left equipment at CMU to permit future use of this survey software and facilitate future collaborative research, which we hope to conduct this year. |
Year(s) Of Engagement Activity | 2019 |
URL | http://www.lucidresearch.org/decsys.html |
Description | Interactive virtual workshop at Canberra Artificial Intelligence Week |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | This was a two-hour virtual workshop/tutorial session at Canberra AI Week-titled 'Capture and Handling of Uncertainty at Source - using intervals rather than numbers in AI'. This covered the added-value of capturing 'uncertainty-aware' data, as well as demonstration and discussion around efficient interval-valued data capture and cutting-edge modelling and statistical analysis techniques. This included a live survey study soliciting views on various aspects of Artificial Intelligence, with reporting of preliminary results being used to illustrate how capture of uncertainty in responses can provide better insights, as well as a demonstration of the DECSYS survey software in the context of citizen science. |
Year(s) Of Engagement Activity | 2020 |
URL | http://canberraai.net/caiss2020/ |
Description | Interactive virtual workshop/tutorial session at Fuzz-IEEE 2021 |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | This was a two-hour virtual workshop/tutorial session at the Fuzz-IEEE 2021 annual conference-titled 'Capture and Handling of Uncertainty at Source - Using Intervals in AI and Why it Matters'. This covered the added-value of capturing 'uncertainty-aware' data, as well as demonstration and discussion around efficient interval-valued data capture and cutting-edge modelling and statistical analysis techniques. This included a live survey study designed to demonstrate the DECSYS software and solicit views on various aspects of Artificial Intelligence, with reporting of preliminary results being used to illustrate how capture of uncertainty in responses can provide better insights. |
Year(s) Of Engagement Activity | 2021 |
URL | https://attend.ieee.org/fuzzieee-2021/tutorials/#UICHU |
Description | Interview for press release about journal publication |
Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | I was interviewed by the University of Nottingham Faculty of Science media relations manager, to provide details on a recent paper (Ellerby, Wagner & Broomell, 2021) for a university press release. This was subsequently picked up and reported on by a couple of other online news websites. |
Year(s) Of Engagement Activity | 2021 |
URL | https://www.nottingham.ac.uk/news/understanding-uncertainty-with-a-new-take-on-questionnaires |
Description | Invited Keynote on 'Articulating uncertainty-at-source' at SiRAcon22 |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Invited Keynote on 'Articulating uncertainty-at-source' at SiRAcon22 (Society of Information Risk Analysts Conference 2022), Virtual, May 2022. |
Year(s) Of Engagement Activity | 2022 |
URL | https://www.societyinforisk.org |
Description | Poster presentation at MathPsych conference |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | This was a poster presentation detailing preliminary results of a study conducted this year, regarding the efficacy of interval-valued responses in capturing three sources of response uncertainty. This was presented at MathPsych 2019 (Montreal) during the main poster session. It involved discussion about and demonstration of the DECSYS software and associated ellipse-based interval-valued response format, over a period of a few hours, with many students and academics who attended the conference. |
Year(s) Of Engagement Activity | 2019 |
URL | https://osf.io/s6y2d/ |
Description | Research meeting with NCSC Socio-Technical Security Group |
Form Of Engagement Activity | A formal working group, expert panel or dialogue |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Professional Practitioners |
Results and Impact | Members of the project team met, on two occasions, with several representatives of the National Cyber-Security Centre's Socio-Technical Security Group. Meetings comprised a two-way discussion on recent and ongoing research, with the aim of identifying areas of common research interest and fostering future collaboration. |
Year(s) Of Engagement Activity | 2022 |
Description | Summer School Session on Interval-valued data in Artificial Intelligence |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Other audiences |
Results and Impact | A virtual, two-hour workshop/tutorial session at Canberra AI Week-titled 'Capture and Handling of Uncertainty at Source - using intervals rather than numbers in AI', attended by students, researchers and industry. The workshop covered the added-value of capturing 'uncertainty-aware' data, as well as demonstration and discussion around efficient interval-valued data capture and cutting-edge modelling and statistical analysis techniques, with a specific focus on interval-valued regression. It included a live survey study soliciting views on various aspects of Artificial Intelligence, with reporting of preliminary results being used to illustrate how capture of uncertainty in responses can provide better insights, as well as a demonstration of the DECSYS survey software. |
Year(s) Of Engagement Activity | 2020 |
URL | http://canberraai.net/caiss2020/ |