The role of human behaviour in enterprise security is one of the little studied aspects. The author proposes a reinforcement model of collaborative security employing basic concepts from game theory, socio-psychology, and probabilistic model-checking. The proposed model aims towards solving the problem of inducing positive network effect to enable user centric monitoring of security violations, in particular, against violations related to ”semantic manipulation” of context dependent logical resources. Preventing such violations using existing security enforcement mechanisms is neither feasible nor cost effective. The author defines a payoff mechanism to formalize the model by stipulating appropriate payoffs as reward, punishment, and community price according to reporting of genuine or false violations, non-reporting of the detected violations, and proactive reporting of vulnerabilities and threats by the users. Correctness properties of the model are defined in terms of probabilistic robustness property and constraints for economic feasibility of the payoffs. For estimating the payoff parameters, system and user behaviours are further modelled in terms of probabilistic finite state machines (PFSM) and likelihood of the success of the model is specified using probabilistic computation tree logic (PCTL). PRISM model checker based automated quantitative analysis elicits the process of the estimation of various parameters in the model using PFSMs and PCTL formulas.
TopIntroduction
With the increasing size of today’s organizations having dynamically changing asset base (physical and logical), designing appropriate security policies and their enforcement to maintain confidentiality and integrity of these assets are becoming increasingly difficult. One of the noticeable limitations of the existing security frameworks is that user base of assets is differentiated from the security administrators who design and enforce the security policies. Therefore, it appears a natural proposition that if securing confidentiality and integrity of certain types of assets is considered as a collective responsibility of the users and security administrators, the security enforcement would enhance positively. For example, a malicious user making destabilizing changes in a code base could be better monitored and reported for doing so by the associated team members, who have probably better knowledge of it or can better detect it than the centrally administered monitoring mechanisms.
To make users responsible for the security of the assets (in particular critical assets), a plausible approach may be to involve them in different aspects of security including threat perception and monitoring the violations of policies. Now-a-days, all these operations are mainly taken care by a limited group of administrators. They define security policies, devise means to enforce them, and monitor continuously to detect possible violations. However, a large enterprise-wide organization typically has tens of thousands of employees and many more roles/tasks/permissions, and even larger number of assets and contexts present at any point of time. Thus, under- standing the multitude of security requirements and their enforcement for a large organization is not only difficult but also error-prone. It would be a better solution, if different groups formed based upon business focus, roles, emerging contexts, and tasks also participate in defining security policies and are entrusted with collective monitoring of the policy violations. In early 90s, Greenwald (Greenwald, 1996) advocated similar philosophy in the context of distributed resource management and access control and proposed a Distributed Compartment Model, which allows users to manage resources across different administrative domains with increased independence from central system administrators. Also Vimercati and Samarati (di Vimercati & Samarati, 1996) proposed a model with local user autonomy in access control for federated databases. Administrative Role Based Access Control (ARBAC) (Sandhu et al., 1999; Sandhu & Munawer, 1999) is yet another decentralized framework for access control policies, where different administrators can define and change RBAC policies independently. However policy comparison, consistency checking, or more generally ‘safety property analysis’ of these policies when considered together arises as a natural problem in such distributed policy synthesis frameworks. For example, (Sasturkar et al.,2006; Stoller et al., 2007) consider the problem of formally analyzing reachability, availability, containment, and information flow properties for ARBAC policies.
In this chapter we consider the problem of collaborative enforcement and monitoring of security policies. To guide individuals and groups for this, there needs to be a well-defined framework. This framework should be easy to follow for devising measures to ensure overall implementation of such collaborative monitoring efforts. Also as an organization’s policies change over time, the framework should be such that it can effectively adapt with the changes. Unfortunately existing models of security do not consider such collaborative aspects and thus there is a need to devise one such.
We present a formal framework for devising policies to enable collaborative monitoring against policy violations. Importantly, presented framework does not mandate that the employees take up the additional roles of security completely. Only in certain scenarios, where they could have more effective role in enforcing the policies and are directly impacted by the violations, it is indeed desirable that they take proactive participation as specified by the framework. For example, a discussion on the deliberate coding violations by programmers and IP theft appears in (Group, 2008) highlighting the potential loss which such violations may cause to the organizations especially in the context of safety critical applications.