Wednesday, July 12, 2017
7:30 am–9:00 am
9:00 am–10:30 am
Paper Session I
Andrew M’manga, Shamal Faily, and John McAlaney, Bournemouth University; Christopher Williams, Defence Science and Technology Laboratory
There are several standard approaches to risk analysis recommended for use in information security, however, the actual application of risk analysis by security analysts follows an opaque mix of standard risk analysis procedures and adaptations based on an analyst's understanding of risk. We refer to these approaches as Folk Risk Analysis. To understand folk risk analysis, we present the results of a study where Distributed Cognition and Grounded Theory were used to elicit factors influencing risk interpretation by security analysts, and the constrained conditions to risk decision making they encounter.
The Shadow Warriors: In the no man’s land between industrial control systems and enterprise IT systems
Alberto Zanutto, Ben Shreeve, Karolina Follis, Jerry Busby, and Awais Rashid, Lancaster University, UK
Modern production processes are heavily reliant on industrial control systems (ICS) to help automate large-scale facilities. The security of these systems is paramount as evidenced by high profile attacks such as those against Iran’s nuclear facilities and the Ukrainian Power Grid. Existing research has largely focused on technical measures against such attacks and little attention has been given to the security challenges and complexities arising from non-technical factors. For instance, cyber security workers need to maintain security whilst satisfying the demands of varied stakeholders such as managers, control engineers, enterprise IT personnel and field site operators. Existing ICS models, such as the Purdue model, tend to abstract away such complexities. In this paper, we report on initial findings from interviews with 25 industry operatives in the UK and Italy. Our analysis shows that the varying demands of various stakeholders in an ICS represent many complexities that we term grey area. Security workers often play the role of shadow warriors tackling the competing and complex demands in these grey areas while protecting themselves, their integrity and credibility.
Julie Haney and Wayne Lutters, University of Maryland, Baltimore County
Cybersecurity advocates attempt to counter the tsunami of cyber attacks by promoting security best practices and encouraging security technology adoption. However, little is known about the skills necessary for successful advocacy. Our study explores the motivations, characteristics, and practices of cybersecurity advocates. Preliminary analysis of 19 interviews reveals that effective advocates must not only possess technical and soft skills, but also customer service orientation and context awareness. However, little cybersecurity training is available to develop these non-technical skills. Additionally, the cybersecurity profession neglects to frame the field as service-oriented, a theme identified repeatedly in our interviews. We discuss implications of these findings for recruitment and greater workforce diversity.
10:30 am–11:00 am
Break with Refreshments
11:00 am–12:30 pm
Masha Sedova, Elevate Security
As the technology industry races to create new technologies to thwart attacks and stay ahead of hackers, one of the biggest weakness remains employees themselves. Organizations with an innovative behavior-change approach have been able to transform their employees into key assets in defending their organization and continue to see increasingly promising results on phishing tests, trainings, and red team exercises. This talk will look at the multi-step approach innovative companies have taken to not only educate the company's employees about security, but also to make them care and invested in their part of securing the company. Learn how organizations can leverage behavioral psychology and gamification principles to drive positive, effective and measurable security engagement and behavior. We will also discuss how harnessing the power of intrinsic and extrinsic motivations can help drive behavioral change. Finally we will look at effective methods of measuring security behavior change across employees.
Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering a behavioral-science based platform that can measure, motivate, and educate employees on security behaviors that prevent breaches. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha is a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Blackhat, RSA, ISSA and SANS.
12:30 pm–2:00 pm
Lunch (on your own)
2:00 pm–3:30 pm
Paper Session II
Stacey Watson and Heather Richter Lipford, University of North Carolina at Charlotte
System administrators make security decisions based on data provided by a variety of tools. Yet too often these tools do not structure the presentation of that data to support the communication and decision making needs of a variety of stakeholders within an organization. For example, consider the task of fixing system vulnerabilities based on network scans. Network vulnerability tools produce an overwhelming amount of raw data that is difficult to prioritize. The most critical vulnerabilities in the most sensitive systems must be addressed quickly, before attackers discover and exploit them. Additionally, non-security domain experts are often called upon to perform remediation and/or to make critical security decisions. As such, it is imperative that the security state of the network be communicated in such a way as to support these efforts. Unfortunately, current security tools that provide visualizations are complex and fail to provide actionable data. In this paper, we propose a new way to visualize vulnerability scan data by network zone using free and open-source tools to demonstrate how visualizations can be created to support decision making.
Bobby Filar, Richard Seymour, and Matthew Park, Endgame, Inc.
Security products often create more problems than they solve, drowning users in alerts without providing the context required to remediate threats. This challenge is compounded by a lack of experienced personnel and security tools with complex interfaces. These interfaces require users to become domain experts or rely on repetitive, time consuming tasks to turn this data deluge into actionable intelligence. In this paper we present Artemis, a conversational interface to endpoint detection and response (EDR) event data. Artemis leverages dialog to drive the automation of complex tasks and reduce the need to learn a structured query language. Designed to empower inexperienced and junior security workers to better understand their security environment, Artemis provides an intuitive platform to ask questions of alert data as users are guided through triage and hunt work flows. In this paper, we will discuss our user-centric design methodology, feedback from user interviews, and the design requirements generated upon completion of our study. We will also present core functionality, findings from scenario-based testing, and future research for the Artemis platform.
Madiha Tabassum, Stacey Watson, and Heather Richter Lipford, University of North Carolina at Charlotte
The cause of many security problems is vulnerabilities in the underlying code. These vulnerabilities are the result of security mistakes made by programmers during application development, often because of lack of knowledge of the security implications of their code. Thus, educators need to teach students as future developers not only how to program, but how to program securely. Many researchers advocate integrating secure programming guidelines across the computer science curriculum. We are exploring a tool to support this goal. ESIDE (Educational Security in the IDE) is an Eclipse plug-in for Java which provides instant security warnings, detailed explanations, and auto-generated remediation code. The goal is to provide contextualized awareness and knowledge of security vulnerabilities and mitigations as students work on programming assignments within any course. In our latest study, we compare our tool against an alternative approach of using security clinics, a one-on-one session with a teaching assistant. We report preliminary findings regarding strengths and weaknesses of our tool based approach to train developers.
3:30 pm–4:00 pm
Break with Refreshments
4:00 pm–5:30 pm
Discussion and Breakout Session
Research Agenda for WSIW