A Model-Based Approach to Security Culture

During the last twelve months we have established an interdisciplinary collaboration with highly ranked US institutions (CERT/CC at Carnegie Mellon, Center of Excellence Software Assurance Institute and School of Information Studies at Syracuse University , Rockefeller College of Public Affairs and Policy, University at Albany), a leading Spanish university and the largest independent Scandinavian R&D institute SINTEF. An essential component of the collaboration is our discipline – system dynamics (SD). We have jointly identified research challenges that are far from a satisfactory solution. A major one – identifying and suppressing dynamic triggers that escalate to create organizational vulnerabilities – is the theme of a joint grant proposal to the Natio nal Science Foundation (NSF). Another important one – central for this project AMBASEC – is advancing the quality of reporting and use of ICT security incident data. SD group modelling is a promising methodology to employ in this respect because of its ability to capture and combine different types of knowledge (both formal/explicit and informal/tacit expert knowledge) into dynamic models that yield robust behaviour modes – quantitative results do depend on data quality but the BEHAVIOUR MODES or PATTE RNS are much more stable and create a sense of direction from the near beginning of the model-building. We aim at one PhD thesis and a post-doctoral contribution applied to CSIRT and consisting of dynamic models with user-oriented add-ons (maps, archetype s, policy analysis & recommendations, Interactive Learning Environments, audit instruments, user materials) thoroughly validated and evaluated. Using and extending methods developed in previous work we will also evaluate mental models in relation security culture. Our methodology is a double-loop learning research approach. The project will involve industrial partners and SINTEF. Depending on funding, we will exploit synergies with the proposed NSF project.