Increasing the confidence in security assurance cases at runtime
Examensarbete för masterexamen
Software engineering and technology (MPSOF), MSc
Security assurance cases consist of arguments which are supported by evidence to justify that a system is acceptably secure. However, security assurance cases are relatively static and therefore currently not effective at runtime in supporting users to mitigate threats. The aim of this thesis was to investigate how security assurance cases can be extended with game theory in order to enable dynamic decision-support in the context of threats and environmental changes. Game theory is able to represent the interaction between different actors and identify their optimal strategies based on their payoffs and likelihoods. In order to identify the relevant requirements for a security assurance case extension, interviews were conducted with security experts to identify what challenges there are with maintaining security assurance cases at runtime that make them not able to effectively support decisions. The security assurance case extension was then created based on these findings and in the end evaluated with the security experts in order to assess its effectiveness. The results show that there are multiple challenges both at runtime itself as well as design time towards maintaining security assurance cases and enabling them to become a more ’living’ document. Some of the challenges were, for instance, uncertainty due to the system and environmental complexity, organizational limitations such as ineffective maintenance processes as well as complex decision processes at runtime. Moreover, an effective decision-support as part of security assurance cases would need to be able to simulate decision-making at runtime to guide the strategy in attack scenarios with humans in the loop in order to subsequently manage the different challenges. The extension of the security assurance case was added as a security control connected to assets in the security assurance case, where a claim indicates what strategy should be taken at runtime. This claim changes dynamically with the recommended strategy output by the game-theoretic model at runtime. The concept of integrating more runtime adaptivity is new and relatively complex. Overall, based on the results of the evaluation, the extension was considered as being potentially useful, however this would further depend on how it will be implemented in practice.
Security Assurance , Security Assurance Cases , Game Theory , Dynamic Decision-making , Runtime