Leveraging the Multi-Stakeholder Nature of Cyber Security

利用网络安全的多利益相关者性质

• 批准号: EP/P011918/1
• 负责人: Christian Wagner
• 金额: $ 98.17万
• 依托单位: University of Nottingham
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2017
• 资助国家: 英国
• 起止时间: 2017 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FP011918%2F1
• 关键词: Leveraging; Multi; Stakeholder; Nature; Cyber

Cyber Security (CyS) is a challenging, distributed, multi-stakeholder problem. It is distributed in the sense that the expertise to comprehensively assess the level of security of a given IT system is commonly not all available in one location; e.g. detail on the IT components within a company is available within that company, while detail on operating system software vulnerability may be available to the OS manufacturer and further expert insight may be available to public security agencies, such as CESG. It is a multi-stakeholder problem because a number of human stakeholders, from IT designers to users with varying levels of expertise, need to effectively communicate and work together in order to deliver systems with an appropriate level of CyS assurance.This interdisciplinary project brings together leading academic experts from the University of Nottingham, UK and Carnegie Mellon University, USA, with a strongly integrated project partner: CESG - the UK's National Technical Authority for Information Assurance. The project is designed to leverage the distributed, multiple human stakeholder nature of CyS by developing a novel framework with the necessary scientific underpinning to improve user access to user-tailored CyS information, operationalised as a cutting-edge, data-driven Online CYber Security decision support System (OCYSS). This approach id designed to directly address an acute shortage of availability and access to highly qualified CyS experts by both small-to-large scale users from government to industry. The role of OCYSS is to effectively and efficiently integrate expert and user inputs, capturing commonly uncertain vulnerability levels of individual components as well as vulnerabilities arising from the interaction/combination of these components, to efficiently deliver appropriate, balanced, informed and up-to-date threat analysis and CyS decision support to users. Importantly, the OCYSS framework:- Addresses the limited availability of CyS experts by comprehensively capturing and aggregating their insight and expertise to assess the vulnerability, including associated levels of uncertainty, of individual system components (e.g. intrusion detection, encryption) and their interactions (e.g. SSL 3.0 and weak password). This information is captured centrally by OCYSS and updated regularly. - Avoids delays in threat analysis and potential mitigation by providing a direct pathway for newly discovered component vulnerabilities & component interaction vulnerabilities (and associated uncertainty) to be rapidly put forward, incl. by manufacturers such as Oracle and third party organisations such as Symantec.- Is designed to deliver user-tailored, comprehensive and up-to-date threat analysis and decision support which is continuously updated as new information becomes available. OCYSS two-stage outputs capture uncertainty in A) the threat analysis inputs (e.g. uncertainty around a component vulnerability over time and by different experts) and B) in intuitive benefit-cost analysis on threat mitigation in response to asset ranking by users (e.g. a low value asset may not warrant a high investment to address a low threat).Going beyond the scope of a standard research project, this project is designed to not only deliver cutting-edge science, developing key advances in data science and HCI, but to also deliver a real-world, open source prototype of the OCYSS framework. This enables the project to conduct an exceptional level of evaluation and tailoring to real-world CyS challenges, including the deployment of OCYSS in real-world contexts such as government departments advised by CESG. Further, through this approach, the project is able to deliver both open source algorithms and a substantial open-source software platform prototype, facilitating the academic reproduction of results, as well as substantially boosting the potential of commercial up-take of the project outcomes.

网络安全（CYS）是一个具有挑战性的，分布式的，多利益相关者的问题。它是从某种意义上分发的，即全面评估给定系统的安全性水平的专业知识通常在一个位置不可用。例如该公司内的IT组件中有关IT组件的详细信息，而操作系统软件漏洞的详细信息可能可供操作系统制造商获得，并且可以向CESG等公共安全机构提供更多专家洞察力。这是一个多方利益相关者的问题，因为从设计师到具有不同专业知识水平的用户，需要有效地交流和合作，以提供适当水平的CYS保证的系统，跨学科项目培养了这一领先的诺丁汉大学和Carnegie Mellelloy Intorlion Introvion Antimpers Introlignation Introvie Introlignation Introvie Introlignation Introvie Introlignation Introvie Introvie Anouse Introlity Introvie Antim at USAG，该项目与美国的领先学术组成 - 美国技术人员合作：保证。该项目旨在通过开发具有必要科学基础的新型框架来利用CYS的分布式，多个人类利益相关者的性质，以改善用户访问用户计算的CYS信息，该信息是作为尖端，数据驱动的在线网络安全决策支持系统（OCYSS）运行的。此方法ID旨在直接解决从政府到工业的小型范围用户对高素质CYS专家的严重短缺和访问高度合格的CYS专家的访问。 OCYS的作用是有效，有效地整合专家和用户的输入，捕获单个组件的通常不确定的脆弱性水平以及由这些组件的相互作用/组合引起的脆弱性，以有效地提供适当，平衡，知情，知情和最新的威胁和最新威胁分析，并与用户提供了决策支持。重要的是，OCYSS框架： - 通过全面捕获和汇总其洞察力和专业知识来评估CYS专家的可用性有限，以评估脆弱性，包括相关的不确定性，单个系统组件（例如，侵入式检测，加密）及其交互（例如SSL 3.0和弱密码）。此信息由OCYS中心捕获并定期更新。 - 避免通过为新发现的组件漏洞和组件互动漏洞（以及相关的不确定性）提供直接途径，以避免威胁分析和潜在缓解措施的延迟。由Oracle和Symantec等第三方组织等制造商旨在提供用户量，全面和最新的威胁分析和决策支持，随着新信息的可用性，这些威胁分析和决策支持不断更新。 OCYSS两阶段输出捕获了a）a）威胁分析输入（例如，围绕成分脆弱性的不确定性，随着时间的流逝和不同的专家的不确定性）和b）b）b）b）b）响应减轻威胁的福利成本分析，以响应用户对资产排名的响应减轻资产排名（例如，低价值资产都无法为较低的项目而设计的范围。数据科学和HCI的进步，但还提供了OCYSS框架的实际开源原型。这使该项目能够针对现实世界中的CYS挑战进行特殊水平的评估和裁缝，包括在现实世界中的OCYS部署，例如CESG建议的政府部门。此外，通过这种方法，该项目能够提供开源算法和实质性的开源软件平台原型，从而促进了结果的学术复制，并大大提高了项目成果的商业化潜力。

项目成果

Responsible research and innovation in practice: Driving both the 'How' and the 'What' to research

实践中负责任的研究和创新：推动研究“如何”和“什么”

• DOI: 10.1016/j.jrt.2022.100042
• 发表时间: 2022
• 期刊: Journal of Responsible Technology
• 作者: Chen J

Do People Prefer to Give Interval-Valued or Point Estimates and Why?

人们更喜欢给出区间值估计还是点估计？为什么？

• DOI: 10.1109/fuzz45933.2021.9494507
• 发表时间: 2021
• 作者: Ellerby Z

Insights from interval-valued ratings of consumer products-a DECSYS appraisal

消费产品区间值评级的见解——DECSYS 评估

• DOI: 10.1109/fuzz48607.2020.9177634
• 发表时间: 2020
• 作者: Ellerby Z

Extension of Restricted Equivalence Functions and Similarity Measures for Type-2 Fuzzy Sets

• DOI: 10.1109/tfuzz.2021.3136349
• 发表时间: 2022-09
• 期刊: IEEE Transactions on Fuzzy Systems
• 影响因子: 11.9
• 作者: Laura De Miguel;R. Santiago;Christian Wagner;J. Garibaldi;Z. Takác̆;A.F. Roldan Lopez de Hierro;H. Bustince

Similarity between interval-valued fuzzy sets taking into account the width of the intervals and admissible orders

• DOI: 10.1016/j.fss.2019.04.002
• 发表时间: 2020-07
• 期刊: Fuzzy Sets Syst.
• 作者: H. Bustince;C. Marco-Detchart;Javier Fernández;Christian Wagner;J. Garibaldi;Z. Takác̆