Model-Driven Information Security Risk Assessment of Socio-Technical Systems

As more aspects of life transition to the digital domain, computer systems become increasingly complex but also more social. But assessing a socio-technical system is no trivial task: it often requires intimate knowledge of the system, awareness of the social dynamics and trust relationships of its users, a deep understanding of both hardware and software, as well as the ability to quantify risks, communicate security policies and engage stakeholders. Conceptual models, as tools designed to help make sense of complex issues, can help with some of these problems. This dissertation explores the role of conceptual models in assessing risks related to the development and operation of socio-technical systems. I propose several model-driven modelling and analysis approaches which can be used stand-alone but can also augment existing risk management processes. The approaches are centered on three modelling paradigms not traditionally used in risk management. I use Tangible modelling, i.e. “physical” modeling using graspable three-dimensional tokens, to facilitate the collaborative modelling of socio-technical systems. I find it has beneficial effects on the quality of the resulting models when the modellers, especially when some of the modelers have a technical background. I use argumentation modelling, i.e. recording the rationale behind claims can support the security decision-making process, to support the security decision-making process. I find that structuring the risk assessment as a set of arguments forces risk assessors to make their assumptions explicit and that maintaining a mapping between risks and countermeasures increases the defensibility of the resulting security requirements. I use value modelling, i.e. understanding the value transfers which underpin any commercial information system, to quantify risks, identify vulnerabilities to fraud, and rationalize processes. I propose an ontological and procedural extension to automate this process.