Skip to main content

Found in Translation: Co-design for Security Modelling

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13176)

Abstract

Background. In increasingly complex and dynamic environments, it is difficult to predict potential outcomes of security policies. Therefore, security managers (or other stakeholders) are often challenged with designing and implementing security policies without knowing the consequences for the organization. Aim. Modelling, as a tool for thinking, can help identify those consequences in advance as a way of managing decision-making risks and uncertainties. Our co-design approach aims to tackle the challenges of problem definition, data availability, and data collection associated with modelling behavioural and cultural aspects of security. Method. Our process of modelling co-design is a proposed solution to these challenges, in particular for models aiming to incorporate organizational security culture. We present a case study of a long-term study at Company A, where using the methods of participatory action research, humble inquiry, and thematic analysis, largely shaped our understanding of co-design. We reflect on the methodological advantages of co-design, as well as shortcomings. Result. Our methodology engages modellers and system stakeholders through a four-stage co-design process consisting of (1) observation and candidate data availability, (2) candidate model design, (3) interpretation of model consequences, and (4) interpretation of domain consequences. Conclusion. We have proposed a new methodology by integrating the concept of co-design into the classical modelling cycle and providing a rigorous methodology for the construction of models that captures the system and its behaviours accurately. We have also demonstrated what an attempt at co-design looks like in the real-world, and reflected upon necessary improvements.

Keywords

  • Security Co-design
  • Security modelling
  • Security culture

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-10183-0_6
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-10183-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.

References

  1. Anderson, G., McCusker, G., Pym, D.: A logic for the compliance budget. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds.) GameSec 2016. LNCS, vol. 9996, pp. 370–381. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47413-7_21

    CrossRef  Google Scholar 

  2. Basco-Carrera, L., Warren, A., van Beek, E., Jonoski, A., Giardino, A.: Collaborative modelling or participatory modelling? a framework for water resources management. Environ. Model. Softw. 91, 95–110 (2017)

    CrossRef  Google Scholar 

  3. Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, A.: Productive security: a scalable methodology for analysing employee security behaviours. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pp. 253–270. USENIX Association, Denver, CO, June 2016. https://www.usenix.org/conference/soups2016/technical-sessions/presentation/beautement

  4. Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Proceedings of the 2008 New Security Paradigms Workshop, pp. 47–58 (2008)

    Google Scholar 

  5. Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3(2), 77–101 (2006)

    CrossRef  Google Scholar 

  6. Caulfield, T., Baddeley, M., Pym, D.: Social learning in systems security modelling. Constructions 14(15), 3 (2016)

    Google Scholar 

  7. Collinson, M., Monahan, B., Pym, D.: A Discipline of Mathematical Systems Modelling. College Publications, London (2012)

    Google Scholar 

  8. D’Arcy, J., Greene, G.: Security culture and the employment relationship as drivers of employees’ security compliance. Inf. Manage. Comput. Secur. (2014)

    Google Scholar 

  9. David, S., Sabiescu, A.G., Cantoni, L.: Co-design with communities. a reflection on the literature. In: Proceedings of the 7th International Development Informatics Association Conference, pp. 152–166. IDIA Pretoria, South Africa (2013)

    Google Scholar 

  10. Demjaha, A., Caulfield, T., Sasse, M.A., Pym, D.: 2 fast 2 secure: a case study of post-breach security changes. In: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 192–201. IEEE (2019)

    Google Scholar 

  11. Dignum, V., Dignum, F.: Perspectives on Culture and Agent-based Simulations, vol. 3. Springer, New York (2014). https://doi.org/10.1007/978-3-319-01952-9

  12. Dorst, K.: The core of ‘design thinking’ and its application. Des. Stud. 32(6), 521–532 (2011)

    CrossRef  Google Scholar 

  13. Heath, C., Hall, P., Coles-Kemp, L.: Holding on to dissensus: participatory interactions in security design. Strateg. Des. Res. J. 11(2), 65–78 (2018). https://doi.org/10.4013/sdrj.2018.112.03

    CrossRef  Google Scholar 

  14. Ionita, D., Wieringa, R., Bullee, J.W., Vasenev, A.: Investigating the usability and utility of tangible modelling of socio-technical architectures. No. TR-CTIT-15-03 in CTIT Technical Report Series, Centre for Telematics and Information Technology (CTIT), Netherlands, May 2015

    Google Scholar 

  15. Kleinsmann, M., Valkenburg, R.: Barriers and enablers for creating shared understanding in co-design projects. Des. Stud. 29(4), 369–386 (2008)

    CrossRef  Google Scholar 

  16. Korzybski, A.: Science and Sanity: An Introduction to Non-Aristotelian Systems and General Semantics. Institute of GS, Brooklyn (1958)

    Google Scholar 

  17. Landström, C., Whatmore, S.J., Lane, S.N., Odoni, N.A., Ward, N., Bradley, S.: Coproducing flood risk knowledge: redistributing expertise in critical ‘participatory modelling’. Environ. Plann. A 43(7), 1617–1633 (2011)

    CrossRef  Google Scholar 

  18. Lawson, H.B.: A Journey Through the Systems Landscape. College Publications, London (2010)

    Google Scholar 

  19. Malcolmson, J.: What is security culture? does it differ in content from general organisational culture? In: 43rd Annual 2009 international Carnahan Conference on Security Technology, pp. 361–366. IEEE (2009)

    Google Scholar 

  20. Martins, A., Elofe, J.: Information security culture. In: Ghonaimy, M.A., El-Hadidi, M.T., Aslan, H.K. (eds.) Security in the Information Society. IAICT, vol. 86, pp. 203–214. Springer, Boston (2002). https://doi.org/10.1007/978-0-387-35586-3_16

    CrossRef  Google Scholar 

  21. McColl, J.: Probability. Butterworth-Heinemann, Elsevier (1995)

    Google Scholar 

  22. Pidd, M.: Tools for thinking-modelling in management science. J. Oper. Res. Soc. 48(11), 1150–1150 (1997)

    CrossRef  Google Scholar 

  23. Pidd, M.: Systems modelling: theory and practice. Syst. Model. Theor. Pract. 1, 20 (2004)

    Google Scholar 

  24. Reid, R., Van Niekerk, J., Renaud, K.: Information security culture: a general living systems theory perspective. In: 2014 Information Security for South Africa, pp. 1–8. IEEE (2014)

    Google Scholar 

  25. Schein, E.H.: Organizational Culture and Leadership, vol. 2. Wiley, Hoboken (2010)

    Google Scholar 

  26. Schein, E.H., Schein, P.A.: Humble Inquiry: The Gentle Art of Asking Instead of Telling. Berrett-Koehler Publishers, San Francisco (2021)

    Google Scholar 

  27. Steen, M.: Co-design as a process of joint inquiry and imagination. Des. Issues 29(2), 16–28 (2013)

    CrossRef  Google Scholar 

  28. Steen, M., Manschot, M., De Koning, N.: Benefits of co-design in service design projects. Int. J. Des. 5(2), 46–53 (2011)

    Google Scholar 

  29. Stephen, K., Robin, M., Denzin, N., Lincoln, Y.: Participatory action research: communicative action and the public sphere. Denzin, N.K., Lincoln, Y.S. (eds.), The Sage Handbook of Qualitative Research, United Kingdom: Sage Publications, pp. 559–604 (2000)

    Google Scholar 

  30. Voinov, A., et al.: Tools and methods in participatory modeling: selecting the right tool for the job. Environ. Model. Softw. 109, 232–255 (2018)

    CrossRef  Google Scholar 

  31. Voinov, A., et al.: Modelling with stakeholders-next generation. Environ. Model. Softw. 77, 196–220 (2016)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Albesë Demjaha .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Demjaha, A., Pym, D., Caulfield, T. (2022). Found in Translation: Co-design for Security Modelling. In: Parkin, S., Viganò, L. (eds) Socio-Technical Aspects in Security. STAST 2021. Lecture Notes in Computer Science, vol 13176. Springer, Cham. https://doi.org/10.1007/978-3-031-10183-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-10183-0_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-10182-3

  • Online ISBN: 978-3-031-10183-0

  • eBook Packages: Computer ScienceComputer Science (R0)