A Generic Security Template for information system security arguments Mapping security arguments within healthcare systems Ying He School of Computing Science, University of Glasgow, UK.
Contents v Background v Objectives v Business Model v Evaluations v Conclusions
Background Background Number of incidents accounts for 42% in healthcare, top among different sectors [1]. Research communities (e.g. NIST, SANS) stress incident learning in the incident handling lifecycle. Incident Sharing Platform European Network and Information Security Agency (ENISA) The US s nation s Healthcare and Public Health Information Sharing and Analysis Centre (NH-ISAC). UK government Cyber Security Information Sharing Partnership. [1] Internal Security Threat Report Trends, Symantec Corporation, Volume19, (2014)
Background (Continued) The problem Current research is not concerned with providing a mechanism for conveying key incident details effectively. Little research on feeding back lessons learned into the Information Security Management Systems (ISMS). Ineffective communication and redistribution of lessons learned from different incident data sources, Technical notes Incident reports Social media (e.g. news articles, weblogs) Incoherent security arguments about how those remedial actions taken have satisfied system security requirements.
Objectives Objectives Propose a method that can present a coherent security argument and effectively communicate security lessons. Evaluate its suitability to depict security arguments from different security incident data sources. Evaluate its usability to communicate security arguments comparing to traditional approaches? Assess its acceptance and applicability in communicating and redistributing lessons learned in a healthcare context.
Business Model Theoretical Basis Assurance Case A documented body of evidence that provides a convincing and valid argument that a specified set of critical claims are adequately justified for a given application in a given environment. Goal Structuring Notations (GSN) Included in ISO 15026 to present assurance cases. Widely used in Safety Area. The Generic Security Template A documented body of lessons learned identified from a security incident that can support the Security Requirements of the Information Security Management Systems (ISMS).
Business Model - Example Example (NHS Surrey IT Asset 2013) The Context, e.g. Healthcare system of NHS Surrey. The Strategy, e.g. IT Asset Disposal Guidance. The Security Issue, e.g. The disposal process for redundant equipment did not require the IT team to carry out an assessment of the risks of using a data. The Violated Security Requirement, e.g. A risk management of the disposal process should be conducted. The Recommendation, e.g. Carry out a risk assessment when using a data processor to dispose of the hard drives.
Healthcare System (HS) is acceptably Secure. Healthcare System of NHS Surrey An IT Asset Disposal guidance proposed by Information Commissioner Office according to Data Protection Act Argument over IT Asset Disposal Guidance. Argument over All Missing Security Recommendations. An asset disposal strategy has been created. An IT asset disposal company has been selected. (Guideline non-existent): Remedial action has been taken for the disposal process for redundant equipment. A risk management of the disposal process has been conducted. Risk Management: Carry out a risk assessment when using a data processor to dispose of the hard drives. The devices containing personal data has been identified. Personal Data: Wipe medical information and confidential sensitive data before recycling. A contract with the data processor has been drawn up. Contract: Have a written contract with the company processing the IT Asset The Asset disposal process and data processors have been managed. Disposal Monitoring: Monitor the destruction process and maintain audit trails and inventory logs of hard drives destroyed by the company based on the serial numbers in the destruction certificates for each individual drive. Remedial Action: Take remedial action which includes developing a new policy framework to address the internal re-use of information and appliances and disposal process for redundant equipment.
C1: ISMS for {System X} In the context of G1: {System X} is acceptably secure C2: Security Standard for {System X} In the context of S1: Argument over {Security Standard X} S2: Argument over all Missing Security Recommendation G3 {Index 1.X} {Security Requirement 1.X} is addressed p (p = # security requirements of level 1) G2 (Standard non-existent): {Missing Recommendation Y} is addressed q (q = # missing security recommendations ) r (r = # security requirements of level n) LL2 {Missing Security Issue Y} {Missing Recommendation Y} GN {Index N.X} {Security Requirement N.X} is addressed LL1 {Security Issue N.X} {Recommendation N.X}
Evaluations - Suitability Objective Evaluate the GST s suitability to depict security arguments from different security incident data sources. Methodologies Case studies from the US, China and UK US security incident reports (6) China incident news articles (13) UK incident money penalty report (14) Selected Case Two from the US (VA Data Leakage, 2006/2007 ) One from China (Shenzhen Data Leakage, 2008) One from UK (NHS Surrey IT Asset, 2013)
Evaluations - Suitability Findings The GST is suitable to depict security arguments from different security incident data sources
Evaluations - Usability Objective Evaluate the GST s usability to communicate security arguments from security incidents comparing to traditional approaches Methodologies Controlled Experiment Accuracy, Efficiency,Task load, Ease of use Participants: 24 students from University of Glasgow Group A (Report & GST); Group B (Report) Heuristic Evaluation Cognitive Dimensions Qualitative Feedback
Evaluations - Usability Findings of Controlled Experiment Participants are better able to understand the security arguments with the help of the GST than using Text alone; (Result is statistically significant) The time taken to complete the designed task will be less using the GST than that using the Text alone; (Result is NOT statistically significant) The mental effort is lower with the help of the GST than using Text alone; (Result is statistically significant) Participants find the GST easier to use than the Text approach. (Subjective feedback)
Evaluations - Usability Findings of Heuristic Evaluation Level of abstraction of the GST Scalability of GST
Evaluations - Acceptance Objective Assess the GST s acceptance in communicating and redistributing lessons learned in a healthcare context. Industrial Case Study Internship: Security Strengthening Program Participants Ten healthcare professionals Five security experts Interview themes Security incident handling process Acceptance of the GST
Evaluations - Acceptance Findings of Incident Handling Process A mature incident handling process Preparation, investigation, mitigation, post-incident learning, incident response team, severity level definition. Ineffective incident knowledge gathering Low severity: less focus on incident knowledge gathering High severity: report generated for administrative use only Ineffective incident lessons learned dissemination Low severity : technical notes documented in pieces High severity : report difficult to digest Ineffective incident knowledge feedback Low severity : focus on direct causes rather than root causes High severity : report not include revision to security procedures
Evaluations - Acceptance Findings of GST Acceptance Different interpretation of the GST by different user groups Applicable scenarios in the organisation A tool to convert incident report into a learning document A tool for communicating incidents A tool to feed incident knowledge to security management systems Limitations Lack of multi-view function Not fully accepted by healthcare professionals
Evaluations - Applicability Objective Assess the GST s applicability in communicating and redistributing lessons learned in a healthcare context. Industrial Case Study Internship: Security Strengthening Program Participants Three healthcare professionals Two IT security experts One IT security manager Interview themes Feed back lessons learned from external incidents to the information security management system (ISMS) of the redacted hospital.
Evaluations - Applicability Findings Lessons learned fed back to the ISMS The lessons learned from incidents in other healthcare organisations can be transferred into the redacted hospital. The redacted hospital is more likely to accept lessons from the Shenzhen data leakage incident. The GST helps the hospital assess whether applicable security standards address the concerns raised in previous breaches. Customisation Requirements Provide software support Enable multi-view function Add lessons learned acceptance identifier
Contributions Contributions Identified the current barrier of incident learning ineffective communication and redistribution of lessons learned. Proposed a security argument approach to effectively communicate lessons learned. This approach is suitable to present security arguments from incident reports, money penalty reports and news articles. This approach can improve the communication of lessons learned compared to the traditional text-based reports. This approach is accepted in a healthcare organisation and can be applied to communicate lessons learned to the security management system of a healthcare organisation.
Limitations and Future Work Limitations and Future work Subjective features, translation from natural language statements into structured graphical overview. Apply knowledge representation. Apply intelligent techniques (e.g. natural language processing). Scalability Commercial GSN tools (e.g. ASCE, INESS) Provide SW support. Soundness of security argument Confidence argument Apply formalisms to mechanically check logical soundness.
Publications [1] Y. He, C.W. Johnson, M. Evangelopoulou and Z.S. Lin. Diagraming approach to structure the security lessons: Evaluation using Cognitive Dimensions. The 7th International Conference on Trust & Trustworthy Computing, 2014, Crete, Greece. [2] Y. He, C.W. Johnson, Y. Lu, and A. Ahmad. Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. The 8th IFIP WG 11.11 International Conference on Trust Management, 2014, Singapore. [3] Y. He, C.W. Johnson, Y. Lu and Y. Lin. Improving the Information Security Management: An Industrial Study in the Privacy of Electronic Patient Records. IEEE CBMS 2014 The 27th International Symposium on Computer-Based Medical Systems, 2014, New York, US. [4] Y. He, C.W. Johnson, K. Renaud and Y. Lu and S. Jebriel. An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents. The 6th International Conference of Computer Science and Information Technology, 2014, Amman, Jodan. [5] Y. He, and C.W. Johnson. Generic security cases for information system security in healthcare systems. The 7th IET International Conference on System Safety, Incorporating the Cyber Security Conference 2012, Edinburgh, UK.