Security-by-Experiment: Lessons from Responsible Deployment in Cyberspace

Conceiving new technologies as social experiments is a means to discuss responsible deployment of technologies that may have unknown and potentially harmful side-effects. Thus far, the uncertain outcomes addressed in the paradigm of new technologies as social experiments have been mostly safety-related, meaning that potential harm is caused by the design plus accidental events in the environment. In some domains, such as cyberspace, adversarial agents (attackers) may be at least as important when it comes to undesirable effects of deployed technologies. In such cases, conditions for responsible experimentation may need to be implemented differently, as attackers behave strategically rather than probabilistically. In this contribution, we outline how adversarial aspects are already taken into account in technology deployment in the field of cyber security, and what the paradigm of new technologies as social experiments can learn from this. In particular, we show the importance of adversarial roles in social experiments with new technologies.

[1]  Jelena Mirkovic,et al.  Testing a Collaborative DDoS Defense In a Red Team/Blue Team Exercise , 2008, IEEE Transactions on Computers.

[2]  Pieter H. Hartel,et al.  Applying the Lost-Letter Technique to Assess IT Risk Behaviour , 2013, 2013 Third Workshop on Socio-Technical Aspects in Security and Trust.

[3]  Wolter Pieters,et al.  Combatting Electoral Traces: The Dutch Tempest Discussion and Beyond , 2009, VoteID.

[4]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[5]  Kacper Gradon Crime Science and the Internet Battlefield: Securing the Analog World from Digital Crime , 2013, IEEE Security & Privacy.

[6]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[7]  M.J.W. van Twist,et al.  Stemmachines: een verweesd dossier , 2007 .

[8]  S. Milgram Obedience to Authority: An Experimental View , 1975 .

[9]  Yueming Lu,et al.  Trustworthy Computing and Services , 2012, Communications in Computer and Information Science.

[10]  Christian Payne,et al.  On the security of open source software , 2002, Inf. Syst. J..

[11]  Gary McGraw,et al.  Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..

[12]  Wolter Pieters,et al.  Cost-effectiveness of Security Measures: A model-based Framework , 2014 .

[13]  Wolter Pieters,et al.  The (Social) Construction of Information Security , 2011, Inf. Soc..

[14]  Wolter Pieters,et al.  The persuasion and security awareness experiment: reducing the success of social engineering attacks , 2015, Journal of Experimental Criminology.

[15]  Ibo van de Poel,et al.  The ethics of nuclear power: Social experiments, intergenerational justice, and emotions , 2012 .

[16]  Approaches and Processes for Managing the Economics of Information Systems , 2014 .

[17]  Pieter H. Hartel,et al.  Training students to steal: a practical assignment in computer security education , 2011, SIGCSE '11.

[18]  Günter Müller Emerging Trends in Information and Communication Security , 2006, Lecture Notes in Computer Science.

[19]  P. Sandin,et al.  The Ethics of Consumption , 2016 .

[20]  Wolter Pieters,et al.  Cyber Security as Social Experiment , 2014, NSPW '14.

[21]  L. Floridi The Ontological Interpretation of Informational Privacy , 2005, Ethics and Information Technology.

[22]  Peter G. Neumann,et al.  Security by obscurity , 2003, CACM.

[23]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[24]  Linda Drupsteen,et al.  What is Learning? A Review of the Safety Literature to Define Learning from Incidents, Accidents and Disasters , 2014 .

[25]  Henry Prakken,et al.  Risk Assessment as an Argumentation Game , 2013, CLIMA.

[26]  Ibo van de Poel,et al.  Sunscreens with Titanium Dioxide (TiO2) Nano-Particles: A Societal Experiment , 2010, Nanoethics.

[27]  Wolter Pieters,et al.  Temptations of turnout and modernisation: E-voting discourses in the UK and The Netherlands , 2007, J. Inf. Commun. Ethics Soc..

[28]  Wolter Pieters,et al.  La volonté machinale: understanding the electronic voting controversy , 2008 .

[29]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design VII , 2014, Lecture Notes in Computer Science.

[30]  Wolter Pieters,et al.  Experimenting with Incentives: Security in Pilots for Future Grids , 2014, IEEE Security & Privacy.

[31]  Bart Jacobs,et al.  Electronic Voting in the Netherlands: From Early Adoption to Early Abolishment , 2009, FOSAD.

[32]  Jukka Vuorinen,et al.  Dissecting social engineering , 2013, Behav. Inf. Technol..

[33]  Bart Jacobs,et al.  Increased security through open source , 2007, Commun. ACM.

[34]  W. Pieters On thinging things and serving services: technological mediation and inseparable goods , 2013, Ethics and Information Technology.

[35]  Serge Gutwirth,et al.  European Data Protection: Coming of Age , 2013, European Data Protection.

[36]  Fredrik Hedenus,et al.  Nuclear power as a climate mitigation strategy – technology and proliferation risk , 2015 .

[37]  Thomas Zimmermann,et al.  Towards the next generation of bug tracking systems , 2008, 2008 IEEE Symposium on Visual Languages and Human-Centric Computing.

[38]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[39]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[40]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[41]  Ibo van de Poel,et al.  Nuclear Energy as a Social Experiment , 2011 .

[42]  Bert-Jaap Koops,et al.  Smart Metering and Privacy in Europe: Lessons from the Dutch Case , 2013, European Data Protection.

[43]  Francien Dechesne,et al.  Cyber) security in smart grid pilots , 2013 .

[44]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[45]  George Huitema,et al.  The Neglected Consumer: The Case of the Smart Meter Rollout in the Netherlands , 2011 .

[46]  Pieter H. Hartel,et al.  Effectiveness of Physical, Social and Digital Mechanisms against Laptop Theft in Open Organizations , 2010, 2010 IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber, Physical and Social Computing.

[47]  David Banks,et al.  Adversarial Risk Analysis , 2015, IWSPA@CODASPY.

[48]  Dusko Pavlovic,et al.  Gaming security by obscurity , 2011, NSPW '11.

[49]  Jürgen Großmann,et al.  Security Testing Approaches - For Research, Industry and Standardization , 2013, ISCTCS.

[50]  Rop Gonggrijp,et al.  Studying the Nedap/Groenendaal ES3B Voting Computer: A Computer Security Perspective , 2007, EVT.

[51]  Moti Yung,et al.  A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[52]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[53]  Avi Ostfeld,et al.  Locating Monitors in Water Distribution Systems: Red Team–Blue Team Exercise , 2006 .

[54]  Moti Yung,et al.  A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks (extended version) , 2009, IACR Cryptol. ePrint Arch..

[55]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[56]  Trevor J. M. Bench-Capon,et al.  On the Instantiation of Knowledge Bases in Abstract Argumentation Frameworks , 2013, CLIMA.

[57]  Peter Weingart,et al.  Commentary: Nuclear Power as a Social Experiment—European Political “Fall Out” from the Chernobyl Meltdown* , 1987 .

[58]  André van Cleeff,et al.  The Precautionary Principle in a World of Digital Dependencies , 2009, Computer.

[59]  Yan Ji Voting by Confidence , 2005 .

[60]  Jukka Vuorinen,et al.  The Order Machine - The Ontology of Information Security , 2012, J. Assoc. Inf. Syst..

[61]  Dafydd Stuttard Hidden Defences: Security & obscurity , 2005 .

[62]  Z. Robaey Who owns hazard? The role of ownership in the GM social experiment , 2013 .