Leveraging the Multi-Stakeholder Nature of Cyber Security

利用网络安全的多利益相关者性质

• 批准号: EP/P011918/1
• 负责人: Christian Wagner
• 金额: $ 98.17万
• 依托单位: University of Nottingham
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2017
• 资助国家: 英国
• 起止时间: 2017 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FP011918%2F1
• 关键词: Leveraging; Multi; Stakeholder; Nature; Cyber

Cyber Security (CyS) is a challenging, distributed, multi-stakeholder problem. It is distributed in the sense that the expertise to comprehensively assess the level of security of a given IT system is commonly not all available in one location; e.g. detail on the IT components within a company is available within that company, while detail on operating system software vulnerability may be available to the OS manufacturer and further expert insight may be available to public security agencies, such as CESG. It is a multi-stakeholder problem because a number of human stakeholders, from IT designers to users with varying levels of expertise, need to effectively communicate and work together in order to deliver systems with an appropriate level of CyS assurance.This interdisciplinary project brings together leading academic experts from the University of Nottingham, UK and Carnegie Mellon University, USA, with a strongly integrated project partner: CESG - the UK's National Technical Authority for Information Assurance. The project is designed to leverage the distributed, multiple human stakeholder nature of CyS by developing a novel framework with the necessary scientific underpinning to improve user access to user-tailored CyS information, operationalised as a cutting-edge, data-driven Online CYber Security decision support System (OCYSS). This approach id designed to directly address an acute shortage of availability and access to highly qualified CyS experts by both small-to-large scale users from government to industry. The role of OCYSS is to effectively and efficiently integrate expert and user inputs, capturing commonly uncertain vulnerability levels of individual components as well as vulnerabilities arising from the interaction/combination of these components, to efficiently deliver appropriate, balanced, informed and up-to-date threat analysis and CyS decision support to users. Importantly, the OCYSS framework:- Addresses the limited availability of CyS experts by comprehensively capturing and aggregating their insight and expertise to assess the vulnerability, including associated levels of uncertainty, of individual system components (e.g. intrusion detection, encryption) and their interactions (e.g. SSL 3.0 and weak password). This information is captured centrally by OCYSS and updated regularly. - Avoids delays in threat analysis and potential mitigation by providing a direct pathway for newly discovered component vulnerabilities & component interaction vulnerabilities (and associated uncertainty) to be rapidly put forward, incl. by manufacturers such as Oracle and third party organisations such as Symantec.- Is designed to deliver user-tailored, comprehensive and up-to-date threat analysis and decision support which is continuously updated as new information becomes available. OCYSS two-stage outputs capture uncertainty in A) the threat analysis inputs (e.g. uncertainty around a component vulnerability over time and by different experts) and B) in intuitive benefit-cost analysis on threat mitigation in response to asset ranking by users (e.g. a low value asset may not warrant a high investment to address a low threat).Going beyond the scope of a standard research project, this project is designed to not only deliver cutting-edge science, developing key advances in data science and HCI, but to also deliver a real-world, open source prototype of the OCYSS framework. This enables the project to conduct an exceptional level of evaluation and tailoring to real-world CyS challenges, including the deployment of OCYSS in real-world contexts such as government departments advised by CESG. Further, through this approach, the project is able to deliver both open source algorithms and a substantial open-source software platform prototype, facilitating the academic reproduction of results, as well as substantially boosting the potential of commercial up-take of the project outcomes.

网络安全（CyS）是一个具有挑战性的、分布式的、多利益相关者的问题。从某种意义上说，它是分布式的，即全面评估给定 IT 系统安全级别的专业知识通常无法在一个地点获得。例如有关公司内部 IT 组件的详细信息可在该公司内部获得，而有关操作系统软件漏洞的详细信息可提供给操作系统制造商，并且进一步的专家见解可提供给公共安全机构，例如 CESG。这是一个多利益相关者的问题，因为许多人类利益相关者，从 IT 设计师到具有不同专业水平的用户，需要有效地沟通和合作，以便交付具有适当水平的 CyS 保证的系统。这个跨学科项目汇集了来自英国诺丁汉大学和美国卡内基梅隆大学的顶尖学术专家，以及强大的综合项目合作伙伴：CESG - 英国国家信息保障技术局。该项目旨在通过开发具有必要科学基础的新颖框架来利用 CyS 的分布式、多个人类利益相关者的性质，以改善用户对用户定制的 CyS 信息的访问，并将其作为尖端的、数据驱动的在线网络安全决策进行操作支持系统（OCYSS）。这种方法旨在直接解决从政府到行业的小型到大型用户的可用性和高素质 CyS 专家的严重短缺问题。 OCYSS 的作用是有效且高效地整合专家和用户的输入，捕获各个组件通常不确定的漏洞级别以及这些组件交互/组合所产生的漏洞，以有效地提供适当、平衡、知情和最新的信息。为用户提供数据威胁分析和 CyS 决策支持。重要的是，OCYSS 框架： - 通过全面捕获和汇总 CyS 专家的见解和专业知识来评估各个系统组件（例如入侵检测、加密）及其交互（例如网络安全）的漏洞，包括相关的不确定性级别，从而解决 CyS 专家的可用性有限的问题。 SSL 3.0 和弱密码）。该信息由 OCYSS 集中捕获并定期更新。 - 通过为新发现的组件漏洞和组件交互漏洞（以及相关的不确定性）提供快速提出的直接途径，避免威胁分析和潜在缓解的延迟，包括。由 Oracle 等制造商和 Symantec 等第三方组织提供。- 旨在提供用户定制的、全面的、最新的威胁分析和决策支持，并随着新信息的出现而不断更新。 OCYSS 两阶段输出捕获以下方面的不确定性：A) 威胁分析输入（例如，随着时间的推移，不同专家对组件漏洞的不确定性）；B) 根据用户的资产排名，对威胁缓解进行直观的收益-成本分析（例如，低价值资产可能无法保证高投资来解决低威胁）。该项目超出了标准研究项目的范围，旨在不仅提供尖端科学，开发数据科学和人机交互方面的关键进展，而且还提供了一个真实的世界， OCYSS 框架的开源原型。这使得该项目能够针对现实世界的 CyS 挑战进行卓越水平的评估和定制，包括在现实世界环境中部署 OCYSS，例如 CESG 建议的政府部门。此外，通过这种方法，该项目能够提供开源算法和实质性的开源软件平台原型，促进结果的学术复制，并大大提高项目成果的商业应用潜力。

项目成果

Responsible research and innovation in practice: Driving both the 'How' and the 'What' to research

实践中负责任的研究和创新：推动研究“如何”和“什么”

• DOI: 10.1016/j.jrt.2022.100042
• 发表时间: 2022
• 期刊: Journal of Responsible Technology
• 作者: Chen J

Do People Prefer to Give Interval-Valued or Point Estimates and Why?

人们更喜欢给出区间值估计还是点估计？为什么？

• DOI: 10.1109/fuzz45933.2021.9494507
• 发表时间: 2021
• 作者: Ellerby Z

Insights from interval-valued ratings of consumer products-a DECSYS appraisal

消费产品区间值评级的见解——DECSYS 评估

• DOI: 10.1109/fuzz48607.2020.9177634
• 发表时间: 2020
• 作者: Ellerby Z

Extension of Restricted Equivalence Functions and Similarity Measures for Type-2 Fuzzy Sets

• DOI: 10.1109/tfuzz.2021.3136349
• 发表时间: 2022-09
• 期刊: IEEE Transactions on Fuzzy Systems
• 影响因子: 11.9
• 作者: Laura De Miguel;R. Santiago;Christian Wagner;J. Garibaldi;Z. Takác̆;A.F. Roldan Lopez de Hierro;H. Bustince

Capturing richer information: On establishing the validity of an interval-valued survey response mode.

• DOI: 10.3758/s13428-021-01635-0
• 发表时间: 2022-06
• 期刊: BEHAVIOR RESEARCH METHODS
• 影响因子: 5.4
• 作者: Ellerby, Zack;Wagner, Christian;Broomell, Stephen B.
• 通讯作者: Broomell, Stephen B.