Leveraging the Multi-Stakeholder Nature of Cyber Security

Lead Research Organisation: University of Nottingham
Department Name: School of Computer Science

Abstract

Cyber Security (CyS) is a challenging, distributed, multi-stakeholder problem. It is distributed in the sense that the expertise to comprehensively assess the level of security of a given IT system is commonly not all available in one location; e.g. detail on the IT components within a company is available within that company, while detail on operating system software vulnerability may be available to the OS manufacturer and further expert insight may be available to public security agencies, such as CESG. It is a multi-stakeholder problem because a number of human stakeholders, from IT designers to users with varying levels of expertise, need to effectively communicate and work together in order to deliver systems with an appropriate level of CyS assurance.

This interdisciplinary project brings together leading academic experts from the University of Nottingham, UK and Carnegie Mellon University, USA, with a strongly integrated project partner: CESG - the UK's National Technical Authority for Information Assurance. The project is designed to leverage the distributed, multiple human stakeholder nature of CyS by developing a novel framework with the necessary scientific underpinning to improve user access to user-tailored CyS information, operationalised as a cutting-edge, data-driven Online CYber Security decision support System (OCYSS). This approach id designed to directly address an acute shortage of availability and access to highly qualified CyS experts by both small-to-large scale users from government to industry.

The role of OCYSS is to effectively and efficiently integrate expert and user inputs, capturing commonly uncertain vulnerability levels of individual components as well as vulnerabilities arising from the interaction/combination of these components, to efficiently deliver appropriate, balanced, informed and up-to-date threat analysis and CyS decision support to users.

Importantly, the OCYSS framework:
- Addresses the limited availability of CyS experts by comprehensively capturing and aggregating their insight and expertise to assess the vulnerability, including associated levels of uncertainty, of individual system components (e.g. intrusion detection, encryption) and their interactions (e.g. SSL 3.0 and weak password). This information is captured centrally by OCYSS and updated regularly.
- Avoids delays in threat analysis and potential mitigation by providing a direct pathway for newly discovered component vulnerabilities & component interaction vulnerabilities (and associated uncertainty) to be rapidly put forward, incl. by manufacturers such as Oracle and third party organisations such as Symantec.
- Is designed to deliver user-tailored, comprehensive and up-to-date threat analysis and decision support which is continuously updated as new information becomes available. OCYSS two-stage outputs capture uncertainty in A) the threat analysis inputs (e.g. uncertainty around a component vulnerability over time and by different experts) and B) in intuitive benefit-cost analysis on threat mitigation in response to asset ranking by users (e.g. a low value asset may not warrant a high investment to address a low threat).

Going beyond the scope of a standard research project, this project is designed to not only deliver cutting-edge science, developing key advances in data science and HCI, but to also deliver a real-world, open source prototype of the OCYSS framework. This enables the project to conduct an exceptional level of evaluation and tailoring to real-world CyS challenges, including the deployment of OCYSS in real-world contexts such as government departments advised by CESG. Further, through this approach, the project is able to deliver both open source algorithms and a substantial open-source software platform prototype, facilitating the academic reproduction of results, as well as substantially boosting the potential of commercial up-take of the project outcomes.

Planned Impact

The proposed research will directly benefit UK stakeholders in the public and commercial sectors which are dependent on the UK's ability to perform informed, timely and accurate cyber security (CyS) assessments and decisions. Through enabling user-specific, comprehensive, up-to-date and actionable decision support, incl. dynamically updated cost-benefit analysis highlighting priority areas of investment to improve security, the project is designed to deliver clear benefits in CyS and thus UK IT system resilience. The latter is of direct benefits to the UK's economy and wider population. At an international level, insights gained will be applicable to supporting CyS efforts beyond the UK, in the US and world-wide.

As highlighted by CESG, the UK Government's National Technical Authority for Information Assurance, the work proposed addresses urgent challenges in CyS around the lack of availability and access to highly qualified CyS experts by large, medium and small-size users. This prevents the timely cyber-security assessments of users' IT systems, exposing them, their respective users and the wider UK public to cyber-attack incl. the theft of both commercial and personal data. The project is designed to leverage the distributed multi-stakeholder nature of CyS by introducing a framework (and required scientific underpinnings) which combines the expertise of CyS experts and trusted third parties (captured regularly) with the user-provided information on user IT systems, in order to deliver up-to-date, comprehensively informed, user-tailored CyS assessments and decision support. The project goes beyond the creation of an academic framework - producing a real world, open-source software prototype which will enable real world deployment, evaluation and facilitate both commercial up-take and academic replication.

Through working closely with the international partner - Carnegie Mellon University (CMU), and CESG, the project is in a unique position to deliver real impact that goes beyond academic output and real world tools - but that will lay the foundations for a novel sector in the UK CyS industry which provides CyS decision support by aggregating multiple, incl. human and digital sources.

Specifically:
- By working closely with and leveraging strong support from CESG, the project is designed to deliver the foundations for a new comprehensive approach to CyS assessment which combines the knowledge of the UK's world-leading CyS experts with cutting-edge interdisciplinary data, HCI, and Human Factors science for data elicitation, fusion and communication techniques in order to provide a step-change in the availability and quality of CyS decision support.
- Through strong collaboration with CMU, a world leader in CyS, the project provides a pathway for cross-learning between the UK and the US as well as creating a platform for extended networking both for the project partners but also for the wider UK CyS sector. For example, the project includes two outward facing workshops designed specifically for this purpose.

Beyond impact related directly to CyS assessments, the methods created during this research will also deliver impact through informing analysis in other contexts where the systematic fusion of generally qualitative human insight with often uncertain quantitative data is vital, such as environmental planning and market research.
The proposed research directly addresses the Partnership for Conflict, Crime and Security Research (PaCCS) RCUK priority area of CyS. No funding in EPSRC's portfolio addresses the essential research at the interface of data-science, modelling of uncertain data and HCI / Human Factors as the proposed project. Finally, as an underpinning aspect of the Digital Economy (DE), the combination of human insight & expertise with smart data processing and representation is directly relevant to the DE and ICT areas in HCI, AI Technologies, Graphics and Visualisation and Information Systems.
 
Description The findings have been fed into both public and prvate sector outputs, including an invited talk at CyberUK 2018 - the UKs premier, government led conference in cyber security; as well as a new collaboration with JPMC who, as one of the largest financial institutions in the UK form part of the UKs critical cational infrastructrure. The collaboration's initial output is a KTP proposal to be submitted in the first half of 2018.
First Year Of Impact 2018
Sector Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Security and Diplomacy
Impact Types Societal,Economic,Policy & public services