Managing security requires an appropriate support for decision-making processes related to systems that embrace information technology and human factors. Such systems are characterized by a complex interplay between human factors and technology. The two constituent parts are coupled in many ways, i.e. by interactions—a large number of these interactions form various feedback loops. There are also soft factors that have to be taken into account, e.g. human perception of various phenomenon like trust, etc. Therefore, to support decision-making properly with regard to security, one has to deal with physical and information flows. Additionally, many decisions have to be made in such circumstances, where there is not enough time or other resources to test decisions for effects in a real environment or where such checks are not possible at all. Nevertheless, all these issues are essential for an appropriate security policy.
The methodology that can be used to support the resolution of the above-mentioned problems is systems dynamics. It was grounded by Jay Forrester (Forrester, 1961) and is also called business dynamics. It enables qualitative and quantitative modeling of IS systems that have the above-mentioned characteristics. Using this methodology, one starts with a qualitative approach. He/she identifies variables that are relevant to system behavior and defines the boundary to distinguish between endogenous and exogenous variables. Variables are connected by casual links which have positive polarity if the increase/decrease of the input variable results in the increase/ decrease of the output variable. In a case when the increase/decrease of the input variable results in the decrease/increase of the output variable, the polarity is negative. Some variables are of a stock nature (also called levels) and these introduce persistency (inertia) in the system. On the other hand, they decouple inflows and outflows and thus present a kind of a buffer or absorber. Building a model of a system by using this approach, so-called casual loop diagrams are obtained and these diagrams provide a useful means for management of e-business systems security.
To formulate a quantitative model and a better insight into the system, casual loop diagrams are backed-up with necessary data and transformed this way into quantitative models of systems. In the simplest case, these models form a set of algebraic equations, but this is rare. More often, quantitative models consist of systems of integral and differential equations, for which analytical solutions are far from being trivial and many do not even exist. The only way to approximate a solution to such cases is to use computer simulation.
System dynamics has recently been used to approach information systems security issues (Gonzales, 2002). In this chapter, we further explore this approach by linking it to business intelligence in order to achieve an appropriate architecture for qualitative and quantitative management of security in intelligent enterprises.
The basis of this architecture is operational security related data that comes from various sources: general host logs, router logs, application logs, phone and fax logs, physical security system logs (video cameras, smart-card based access systems). One should not overlook such details as printer logs, photocopier logs, etc. These are all operational, legacy data that has to be transformed in the next step. This means preparation of data for a security data warehouse, which has to embrace primarily date and time of start of security related activities, their duration, their nature (types of activities) and identification of persons that were performing these tasks.
The exact data that have to be captured in a security database are defined in line with the casual loop diagram model of an organisation. This means that there are no general solutions for this kind of support, because each organisation is a specific case. It is possible, however, to define a few typical kinds of organisation for this purpose. The whole architecture of intelligent risk management is given in Figure 3.
Figure 3: Using the Business Intelligence Approach to Formally Support Risk Management.
We have developed a model that will be used to study the relationships between real risk, perceived risk, discrepancy between those two risks and the adjustment rate of perceived risk (see Figure 4 for the basic model). This model is called security policy causal loop diagram (SPCLD). At the heart of the SPCLD model, there is real risk, measured in security incidents per day. This rate influences, with a certain delay, discrepancy between perceived risk on one hand, while it influences, with a certain delay, the adjustment of security policy level on the other hand. Further, it directly affects the frequency of internal accidents that are related to security policy level and to length of normal operation, which drives the real adjustment time. This time gives the rate of proportionality between change in perceived risk and discrepancy. The adjustment weight is used to change the influence of normal operation length on real adjustment time. Finally, the luck factor models the fact that in two organizations, despite having similar hardware and software configurations, one can suffer from an attack, while the other may survive without being attacked.
Figure 4: A Simplified Causal Loop Diagram of Human Resources Management for an Organization's Security Policy (the complete and updated model is available from http—//epos.ijs.si/spcld.mdl)..
The model can be also analyzed in terms of loops; it consists of three. The upper left loop is the loop of dynamic adjustment of perceived risk, which is an essential driver for intensity of security tasks carried out by the personnel. The upper right loop is a loop of trust in the system. The smaller the frequency of internal accidents, the longer the period of normal operation, which causes higher trust of personnel in the system and consequently larger inertia in speed of mental adaptation in case of problems. This means that adjustment time will be smaller in cases where only a few weeks have passed between two consecutive, successful attacks than in the case where years have passed between two such attacks. The lower loop is the environmental (organizational) adjustment loop, which states how quickly an organisation responds to real risks through adjustment of security policy level, i.e., the level of security related tasks per day. Note that the whole model is intentionally deterministic in order to enable easier recognition of irregularities that would be otherwise attributed to the stochastic properties of the core variables in the model. Finally, perceived risk cannot be smaller than zero and this has been taken into account in the working simulation model.
From the decision maker perspective, it can be observed that the only variables that play the role of levers are security policy level and delay between appearance of a certain risk and adjustment of security policy level; the management has the possibility of influencing delay in the system to a certain extent. In all that that follows, the most important variables from Figure 4 will be denoted by their initials, written in capital letters:
IAF stands for internal accidents frequency and is measured in accidents per day,
RR stands for real risk and is measured in accidents per day,
SPL stands for security policy level and is measured in tasks per day,
STD stands for security tasks duration, i.e. intensity, and is measured in days.
In our model, the nature of risk is such that it appears in intervals that last for a certain time and then the risk ceases due to countermeasures that are implemented in the meantime. After a certain period, another risk appears and the whole game starts over again. Thus, risk is modeled as a train of accident pulses and is measured in accidents per day.
In our simulations, which are based on a model that is derived from that in Figure 4, real risk equals four attacks per day that last for five days and then cease, when a new kind of attack appears. Initial perceived risk equals six attacks per day and the delay between real risk and discrepancy is a third order exponential delay with delay parameter equal to seven days. Similarly, security policy level is exponentially delayed relative to real risk and its initial delay parameter is seven days. Certainly, there are some other constants in the system, which are intentionally omitted for clarity reasons, but they do not change the basic principles. Therefore, the reader should bear in mind that exact values of variables in our model are largely irrelevant, as they depend on each particular organisation. They further serve for tuning of the system and they are needed to achieve consistency of measures. So what matters are not exact numbers to the last decimal point, but general modes of behavior. The intention of this chapter is to demonstrate a business intelligence based architecture to reveal typical behavior patterns in an organisation in the area of security policy and human resource management.
Let us start with the initial situation that is based on the above given values. One can note that the personnel quite quickly adjust their assumptions about real risk and consequently security activities. This is due to appropriate security policy level, driven by the management and relevant data about attacks, collected net-wide. One can also observe that small adjustments in the system are likely to lead to a smoother trend line of security policy level (see Figure 5).
Now the management decides to smooth the security policy trend line by prompt adaptation of the security policy level to the level of reported real risks, which means shortening the delay between real risk and security policy level. Surprisingly, the number and frequency of internal accidents remains almost the same, but the price paid includes oscillation in security policy level which means excessive work and unnecessary pressure on the personnel, which is likely to result in various negative feedbacks. The reason for this effect is the high sensitivity of the system to prompt reactions to reported risk and so a "keep calm" approach pays off (see Figure 6).
Figure 6: Shortening the Delay Between Real Risk and Security Policy Level in the SPCLD Model.
However, how could management in this situation reduce the frequency of internal accidents? There is another natural lever, which is the security policy level. By increasing the security policy level without a stringent attitude towards delays between real risks and their manifestations in the security policy level, it can be seen that adjusting security policy alone gradually leads to far better results (see Figure 7). Moreover, the results show that there is a feedback loop, which is not explicitly drawn in Figure 4. Namely, an increased security policy level results in a higher security tasks duration. Therefore, having the same number of personnel, the personnel would start to lose concentration and show other symptoms of fatigue.
Figure 7: Achieving a Better Output by Less Stringent Requirements on Delays and by Increasing Security Policy Level.
To conclude this chapter—human factors are critical and appropriate risk management has to consider this. Security policy presents the main document about risk management in every organisation and its introduction and maintenance has to be adequately supported by use of modern business intelligence techniques. Using casual loop diagramming, decision makers can get a holistic perspective on their systems, but to verify and properly adjust these models they have to be linked to appropriate sources to obtain real-time data for simulations and verification of the model. The complete methodology is shown in Figure 8.
Figure 8: Building Business Intelligence Based Architecture to Support Security Management.