An Information Security Management for Socio-Technical Analysis of System Security

  • Jean-Louis Huynen
  • Gabriele Lenzini
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 867)


Concerned about the technical and social aspects at the root causes of security incidents and how they can hide security vulnerabilities we propose a methodology compatible with the Information Security Management life-cycle. Retrospectively, it supports analysts to reason about the socio-technical causes of observed incidents; prospectively, it helps designers account for human factors and remove potential socio-technical vulnerabilities from a system’s design. The methodology, called \(\text {S}{\cdot }\text {CREAM}\), stems from practices in safety, but because of key differences between the two disciplines migrating concepts, techniques, and tools from safety to security requires a complete re-thinking. \(\text {S}{\cdot }\text {CREAM}\) is supported by a tool, which we implemented. When available online it will assist security analysts and designers in their tasks. Using \(\text {S}{\cdot }\text {CREAM}\), we discuss potential socio-technical issues in the Yubikey’s two-factor authentication device.


Socio-technical security Information Security Management and Reasoning Root Cause Analysis 


  1. 1.
    ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems - Requirements. Technical report, International Organization for Standardization, Geneva (2005)Google Scholar
  2. 2.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  3. 3.
    Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley, New York (2002)Google Scholar
  4. 4.
    Beautement, A., Becker, I., Parkin, S., Krol, K., Sasse, M.A.: Productive security: a scalable methodology for analysing employee security behaviours. In: Twelfth Symposium on Usable Privacy and Security, SOUPS 2016, Denver, CO, USA, 22–24 June 2016, pp. 253–270 (2016)Google Scholar
  5. 5.
  6. 6.
    Boring, R.L.: Fifty years of THERP and human reliability analysis. Technical report, Idaho National Laboratory (INL) (2012)Google Scholar
  7. 7.
    Bostock, M., Ogievetsky, V., Heer, J.: D3 data-driven documents. IEEE Trans. Vis. Comput. Graph. 17(12), 2301–2309 (2011)CrossRefGoogle Scholar
  8. 8.
    Boyd, J.: The essence of winning and losing (1995).
  9. 9.
    Caralli, R., Stevens, J., Young, L., Wilson, W.: Introducing octave allegro: improving the information security risk assessment process. Technical report, CMU/SEI-2007-TR-012, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2007)Google Scholar
  10. 10.
    Cotroneo, D., Paudice, A., Pecchia, A.: Automated root cause identification of security alerts: evaluation in a SaaS cloud. Future Gener. Comput. Syst. 56, 375–387 (2016)CrossRefGoogle Scholar
  11. 11.
    ENISA: Annual Incident Reports 2015. Technical report, ENISA - European Union Agency for Network and Information Security (2016)Google Scholar
  12. 12.
    Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G.: In cyber-space no one can hear you S\(\cdot \)CREAM. In: Foresti, S. (ed.) STM 2015. LNCS, vol. 9331, pp. 255–264. Springer, Cham (2015). Scholar
  13. 13.
    Franco, T., Kadhi, S., Leonard, J.: TheHive projectGoogle Scholar
  14. 14.
    Google: AngularJS (2016)Google Scholar
  15. 15.
    Heuer, R.J.: Psychology of Intelligence Analysis. Washington (1999)Google Scholar
  16. 16.
    Heuer, R.J., Pherson, R.H.: Structured Analytic Techniques for Intelligence Analysis. CQ Press, Washington (2014)Google Scholar
  17. 17.
    Hollnagel, E.: Cognitive Reliability and Error Analysis Method CREAM. Elsevier, Oxford (1998)Google Scholar
  18. 18.
    Huynen, J.: S\(\cdot \)CREAM Assistant (2016).
  19. 19.
    Huynen, J., Lenzini, G.: From situation awareness to action: an information security management toolkit for socio-technical security retrospective and prospective analysis. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal, 19–21 February 2017, pp. 213–224 (2017)Google Scholar
  20. 20.
    Ishikawa, K., Ishikawa, K.: What is Total Quality Control? The Japanese Way. Prentice Hall, Upper Saddle River (1988)zbMATHGoogle Scholar
  21. 21.
    Js-data Development Team: Js-data (2016)Google Scholar
  22. 22.
    Kasikci, B., Schubert, B., Pereira, C., Pokam, G., Candea, G.: Failure sketching: a technique for automated root cause diagnosis of in-production failures. In: Proceedings of the 25th Symposium on Operating Systems Principles, SOSP 2015, pp. 344–360. ACM, New York (2015)Google Scholar
  23. 23.
    Kirlappos, I., Parkin, S., Sasse, M.A.: “Shadow security” as a tool for the learning organization. SIGCAS Comput. Soc. 45(1), 29–37 (2015)CrossRefGoogle Scholar
  24. 24.
    MISP Development Team: Malware Information Sharing Platform (2015)Google Scholar
  25. 25.
    MITRE: CAPEC - Common Attack Pattern Enumeration and Classification (2014)Google Scholar
  26. 26.
    Noureddine, M., Keefe, K., Sanders, W.H., Bashir, M.: Quantitative security metrics with human in the loop. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015, pp. 21:1–21:2. ACM, New York (2015)Google Scholar
  27. 27.
    Reason, J.: Human Error. Cambridge University Press, Cambridge (1990)CrossRefGoogle Scholar
  28. 28.
    Schneier, B.: The future of incident response. IEEE Secur. Priv. 12(5), 96 (2014)CrossRefGoogle Scholar
  29. 29.
    Schoenfisch, J., von Stülpnagel, J., Ortmann, J., Meilicke, C., Stuckenschmidt, H.: Using abduction in Markov logic networks for root cause analysis. CoRR (2015)Google Scholar
  30. 30.
    Serwy, R.D., Rantanen, E.M.: Evaluation of a software implementation of the cognitive reliability and error analysis method (Cream). Proc. Hum. Factors Ergon. Soc. Ann. Meet. 51(18), 1249–1253 (2007)CrossRefGoogle Scholar
  31. 31.
    Swain, A.D., Guttmann, H.E.: Handbook of human-reliability analysis with emphasis on nuclear power plant applications. Final report, NUREG/CR, U.S. Nuclear Regulatory Commission (1983)Google Scholar
  32. 32.
    Verizon RISK Team: 2015 Data Breach Investigations Report. Technical report, Verizon (2015)Google Scholar
  33. 33.
    Verizon RISK Team: 2017 Data Breach Investigations Report. Technical report, Verizon (2017)Google Scholar
  34. 34.
    Yubico, A.B.: YubiKey security evaluation: discussion of security properties and best practices (2012)Google Scholar
  35. 35.
    Yubico, A.B.: The YubiKey manual: usage, configuration and introduction of basic concepts (2015)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Interdisciplinary Centre for Security, Reliability and Trust (SnT)University of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations