Preliminary System Dynamics Maps of the Insider Cyber-threat Problem

Twenty five researchers from eight institutions and a variety of disciplines, viz. computer science, information security, knowledge management, law enforcement, psychology, organization science and system dynamics, found each other February 2004 in the “System Dynamics Modelling for Information Security: An Invitational Group Modeling Workshop” at Software Engineering Institute, Carnegie Mellon University. The exercise produced preliminary system dynamics models of insider and outsider cyber attacks that motivated five institutions, viz. Syracuse University, TECNUN at University of Navarra, CERT/CC at Carnegie Mellon University, University at Albany and Agder University College, to launch an interdisciplinary research proposal (Improving Organizational Security and Survivability by Suppression of Dynamic Triggers). This paper discusses the preliminary system dynamic maps of the insider cyber-threat and describes the main ideas behind the research proposal.

[1]  David L. Cooke,et al.  Learning from Incidents , 2003 .

[2]  J. G. Holmes,et al.  Trust in close relationships. , 1985 .

[3]  B. E. Partridge,et al.  The Nature of Managerial Work , 1974 .

[4]  Jose J. Gonzalez,et al.  A system dynamics model of an insider attack on an information system , 2003 .

[5]  George P. Richardson,et al.  Scripts for group model building , 1997 .

[6]  R. Kramer,et al.  Trust in Organizations: Frontiers of Theory and Research , 1995 .

[7]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[8]  Jon M. Werner,et al.  Managers as Initiators of Trust: An Exchange Relationship Framework for Understanding Managerial Trustworthy Behavior , 1998 .

[9]  Youssef H. Aboul-Enein,et al.  AMERICAN JIHAD: The Terrorists Living among Us , 2004 .

[10]  P. Blau Exchange and Power in Social Life , 1964 .

[11]  Kevin J. Sullivan,et al.  Towards a rigorous definition of information system survivability , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[12]  George P. Richardson,et al.  Teamwork in group model building , 1995 .

[13]  J. R. Aiello,et al.  Electronic performance monitoring and social context: impact on productivity and stress. , 1995, The Journal of applied psychology.

[14]  Simon Peck,et al.  Group Model Building: Facilitating Team Learning Using System Dynamics , 1996, J. Oper. Res. Soc..

[15]  K. Eisenhardt Agency Theory: An Assessment and Review , 1989 .

[16]  Jac A. M. Vennix,et al.  Group model‐building to facilitate organizational change: an exploratory study , 1996 .

[17]  T. Millon,et al.  Personality and social psychology , 2003 .

[18]  H. Lipson Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues , 2002 .

[19]  Eric Flamholtz,et al.  Organizational Control Systems as a Managerial Tool , 1979 .

[20]  David A. Fisher,et al.  Survivability—a new technical and business perspective on security , 1999, NSPW '99.

[21]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[22]  Jose J. Gonzalez,et al.  The Role of Learning and Risk Perception in Compliance , 2003 .

[23]  Paul E. Johnson,et al.  Detecting deception: adversarial problem solving in a low base-rate world , 2001, Cogn. Sci..

[24]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[25]  C. Barnard The Functions of the Executive , 1939 .

[26]  T. Tyler,et al.  A Relational Model of Authority in Groups , 1992 .

[27]  R. Lewicki,et al.  Developing and Maintaining Trust in Work Relationships , 1996 .

[28]  Gareth R. Jones Task Visibility, Free Riding, and Shirking: Explaining the Effect of Structure and Technology on Employee Behavior , 1984 .

[29]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[30]  Pascale Carayon,et al.  Effects of electronic performance monitoring on job design and worker stress: Results of two studies , 1994, Int. J. Hum. Comput. Interact..

[31]  Andrew P. Moore,et al.  Trustworthy Refinement Through Intrusion-Aware Design (TRIAD) , 2003 .

[32]  Nancy R. Mead,et al.  Survivable Network Systems: An Emerging Discipline , 1997 .