A Conceptual Framework to Study Socio-Technical Security

  • Ana Ferreira
  • Jean-Louis Huynen
  • Vincent Koenig
  • Gabriele Lenzini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


We propose an operational framework for a social, technical and contextual analysis of security. The framework provides guidelines about how to model a system as a layered set of interacting elements, and proposes two methodologies to analyse technical and social vulnerabilities. We show how to apply the framework in a use case scenario.


socio-technical framework security analysis 


  1. 1.
    West, R.: The Psychology of Security. Communication of the ACM 51(4), 34–38 (2008)CrossRefGoogle Scholar
  2. 2.
    Tversky, A., Kahneman, D.: Judgment under uncertainty: Heuristics and biases. Science 185, 1124–1131 (1974)CrossRefGoogle Scholar
  3. 3.
    Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching johnny not to fall for phish. ACM Trans. Internet Technol. 10(2), 7:1–7:31 (2010)CrossRefGoogle Scholar
  4. 4.
    Parkin, S., van Moorsel, A., Inglesant, P.G., Sasse, M.A.: A Stealth Approach to Usable Security: Helping IT Security Managers to Identify Workable Security Solutions. In: Proc. of NSPW 2010, Sept. 21-23, pp. 33–50. ACM (2010)Google Scholar
  5. 5.
    Tembe, R., Hong, K.W., Murphy-Hill, E., Mayhorn, C., Kelley, C.: American and indian conceptualizations of phishing. In: Proc. of STAST 2013, pp. 37–45. IEEE (2013)Google Scholar
  6. 6.
    Volkamer, M., Stockhardt, S., Bartsch, S., Kauer, M.: Adopting the cmu/apwg anti-phishing landing page idea for germany. In: Proc. of STAST 2013, pp. 46–52. IEEE (2013)Google Scholar
  7. 7.
    Bardram, J.E.: The trouble with login: on usability and computer security in ubiquitous computing. Personal and Ubiquit. Comput. 9(6), 357–367 (2005)CrossRefGoogle Scholar
  8. 8.
    Weerasinghe, D., Rakocevic, V., Rajarajan, M.: Security framework for mobile banking. In: Trustworthy Ubiquitous Computing, Atlantis Ambient and Pervasive Intelligence, vol. 6, pp. 207–225 (2012)Google Scholar
  9. 9.
    Ferreira, A., Giustolisi, R., Huynen, J., Koenig, V., Lenzini, G.: Studies in socio- technical security analysis: Authentication of identities with tls certificates. In: Proc. of the 12th IEEE TrustComm 2013, pp. 1553–1558 (2013)Google Scholar
  10. 10.
    Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G., Rivas, S.: Socio-technical study on the effect of trust and context when choosing wifi names. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 131–143. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Zhu, F., Carpenter, S., Kulkarni, A., Kolimi, S.: Reciprocity attacks. In: Proc. of the SOUPS 2011, pp. 9:1–9:14. ACM, New York (2011)Google Scholar
  12. 12.
    Arce, I.: The weakest link revisited. IEEE Security Privacy 1(2), 72–76 (2003)CrossRefGoogle Scholar
  13. 13.
    Cranor, L.F.: A Framework for Reasoning About the Human in the Loop. In: Proc. of the 1st Conf. on Usability, Psychology, and Security, pp. 1–15. USENIX Association (2008)Google Scholar
  14. 14.
    Conti, G., Ahamad, M., Stasko, J.: Attacking information visualization system usability overloading and deceiving the human. In: Proc. of the SOUPS 2005, pp. 89–100. ACM (2005)Google Scholar
  15. 15.
    Falk, L., Prakash, A., Borders, K.: Analyzing websites for user-visible security design flaws. In: Proceedings of SOUPS 2008, pp. 117–126. ACM, New York (2008)Google Scholar
  16. 16.
    De Luca, A., Langheinrich, M., Hussmann, H.: Towards understanding atm security: a field study of real world atm use. In: Proc. of SOUPS 2010, pp. 16:1–16:10. ACM, New York (2010)Google Scholar
  17. 17.
    Janczewski, L., Lingyan, F.: Social engineering-based attacks: Model and new zealand perspective. In: Proc. of IMCSIT 2010, pp. 847–853 (2010)Google Scholar
  18. 18.
    Dalpiaz, F., Giorgini, P., Mylopoulos, J.: Adaptive Socio-Technical Systems: a Requirements-Based Approach. Requirements Engineering 18, 1–24 (2013)CrossRefGoogle Scholar
  19. 19.
    Worton, K.: Using socio-technical and resilience frameworks to anticipate threat. In: Proc. of STAST 2012, pp. 19–26 (2012)Google Scholar
  20. 20.
    Pavkovic, N., Perkov, L.: Social engineering toolkit x2014; a systematic approach to social engineering. In: Proc. of MIPRO 2011, pp. 1485–1489 (2011)Google Scholar
  21. 21.
    Bella, G., Coles-Kemp, L.: Layered Analysis of Security Ceremonies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 273–286. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  22. 22.
    Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Transaction on Information Theory 29(2), 198–208 (1983)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Bella, G., Giustolisi, R., Lenzini, G.: Socio-Technical Formal Analysis of TLS Certificate Validation in Modern Browsers. In: Proc. of PST 2013. IFIP, pp. 309–316 (2013)Google Scholar
  24. 24.
    Bella, G., Giustolisi, R., Lenzini, G.: A Socio-Technical Understanding of TLS Certificate Validation. In: Fernández-Gago, C., Martinelli, F., Pearson, S., Agudo, I. (eds.) Trust Management VII. IFIP AICT, vol. 401, pp. 281–288. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  25. 25.
    Clarke, E.M., Grumberg, O., Peled, D.: Model Checking. MIT Press (1999)Google Scholar
  26. 26.
    Godfrey-Smith, P.: Theory and Reality: An Introduction to the Philosophy of Science. Science and Its Conceptual Foundations. Univ. of Chicago Press (2003)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Ana Ferreira
    • 1
    • 2
  • Jean-Louis Huynen
    • 1
    • 2
  • Vincent Koenig
    • 1
    • 2
  • Gabriele Lenzini
    • 2
  1. 1.Institute of Cognitive Science and AssessmentUniv. of LuxembourgLuxembourg
  2. 2.Interdisciplinary Centre for Security Reliability and TrustUniv. of LuxembourgLuxembourg

Personalised recommendations