Personal Information Security Assistant (PISA) Prof. Dr. Roel Wieringa Universiteit Twente 3 Juli 2013 Cybersecurity Veldraadpleging 1
Project goal To develop and field-test a tool that performs IT risk management for consumers Long-term, but applied cybersecurity research 3 Juli 2013 Cybersecurity Veldraadpleging 2
Project motivation End-users are the weakest link in IT security Easy prey for cyberattacks Easy resources (botnets) for cyberattacks Improvement in end-user security has potentially large rewards End-users can function as early adopters 3 Juli 2013 Cybersecurity Veldraadpleging 3
Tool architecture PISA Client End-user PISA Risk Repository PISA Assurance Provider IT Service IT Service Provider End-user: Consumer, independent entrepeneur, or employee IT service: An application, service or device IT service provider: The organization delivering the service 3 Juli 2013 Cybersecurity Veldraadpleging 4
Tool architecture PISA Client End-user PISA Risk Repository PISA Assurance Provider IT Service IT Service Provider Client collects data about IT services used by end-users Risk repository maintains data about risks of IT services Assurance provider answers questions about end-user s risk profile 3 Juli 2013 Cybersecurity Veldraadpleging 5
Three usage scenarios Independent components End user (e.g. an entrepeneur) manually configures and manages PISA client; Independent provider manages risk repository; Trusted third party manages assurance provider. Integrated scenario IT service provider (e.g. social network) integrates PISA components in its own IT service Enabled scenario IT service provider (e.g. a bank) integrates risk repository in its own service; PISA client is offered through a web interface to end-users; End user runs assurance provider on its own devices. 3 Juli 2013 Cybersecurity Veldraadpleging 6
Partners KPN SBIR project Personal trust Agent/Personal trust center. Protection of teleworkers. XS4all Field testing 3 Juli 2013 Cybersecurity Veldraadpleging 7
User group CSC (o.a. security consultancy) Complions (o.a. security consultancy) Intermedion (consultancy) IT United Cap Gemini (still need a bank) Two user group meetings per year Case study sites 3 Juli 2013 Cybersecurity Veldraadpleging 8
Research goal 1 Tool development (with KPN) Requirements (KPN, User group, current prototype) Development & test infrastructure (KPN) Initial design & prototype, test on small scale (UT, KPN, user group) Test security of PISA Second prototype, small field test (XS4all 30 subjects) Third prototype, large field test (XS4all, 30 + 30 subjects) 3 Juli 2013 Cybersecurity Veldraadpleging 9
Research goal 2 Risk repository Develop a risk ontology Build initial risk repository (KPN, User group) Design and test ways to maintain risk repository 3 Juli 2013 Cybersecurity Veldraadpleging 10
Research goal 3 Design and test persuasive user interface Use risk visualization techniques Use persuasion techniques Use adaptation techniques 3 Juli 2013 Cybersecurity Veldraadpleging 11
Business models Different scenarios come with different business models Develop these models Follow up the project with valorisation 3 Juli 2013 Cybersecurity Veldraadpleging 12
Ervaringen bij projectvoorbereiding Match met KPN bij matchmaking bijeenkomst: Zelfde ideeën over IT beveiliging; persoonlijke match met Haydar Cimen (KPN) Echter: success rate 1:100? Champion in KPN KPN heeft een gerelateerd SBIR project met als doelgroep telewerkers; andere technologie. Koppeling LTR SBIR is toevallig; niet eisen in een call for proposals. Als hij er is, geeft hij veel meerwaarde; kruisbestuiving Motivatie KPN: Aanvulling eigen SBIR project; PISA output is mogelijk nuttig. Exposure van KPN aan interessante jonge mensen en ideeën Interessantere onderzoeks-werkomgeving voor KPN medewerkers; medewerkers uitdagen kennis op peil te houden. 3 Juli 2013 Cybersecurity Veldraadpleging 13
Thank you! 3 Juli 2013 Cybersecurity Veldraadpleging 14