Analysis of the Building Security Policy Decisions

Saheed. A. Busari and Emmanuel Letier

RADAR is a lightweight modelling language and tool for analysing software requirements and architecture decisions (Busari and Letier, 2016). This report presents an application of RADAR to the analysis of of the building security policy decisions for an organisation.

Our analysis is motivated by and based on previous studies of improving security policy decisions with models (T.Caulfield., 2015) and of modelling and simulating systems security policy (T.Caulfield., 2015).

Problem Description

This example models and analyses security policy decisions for an organisation concerned with leaks of confidential information. The full problem is described in (T.Caulfield., 2015).

The organisation is concerned about its employees’ habit of sharing documents through a globally shared drive. Stroring files on the shared drive facilitates the employees’ work but increases the risk and extent of insiders’ leaks. The organisation is considering recommending its employees to share documents through emails or portable media devices instead of using the shared drive.

The organisation is also concerned by theft of documents stored on portable media devices (USB, CD). The model considers only theft of such devices inside the organisation premises. To prevent thieves entering the building, its entrance is equipped with automated gates where employees have to swipe their access card to enter the building. Because of tailgating risks, the organisation is considering adding a security guard to reinforce security at the building entrance.

Design Decisions

Modelling the Optimisation Objectives

The primary decision objectives are related to the uncertain costs associated to the disclosure of confidential documents:

Objective Min ExpectedCostOfDisclosures = EV(Cost_of_Disclosures);
Objective Min RiskOfCatastrophicDisclosures = Pr(Cost_of_Disclosure > 10^6);

Modelling Costs of Disclosures

We assume three categories of confidential documents (high, medium, and low confidentiality) with different costs to the organisation if they are leaked. Our model assumnes that the cost of document disclosure is a function of number of leaked confidential documents and the cost of the leaked documents:

Cost_of_Disclosures = 
    Nbr_HighConfidentialityLeaks * Cost_HighConfidentialityLeak
    + Nbr_MediumConfidentialityLeaks * Cost_MediumConfidentialityLeak
    + Nbr_LowConfidentialityLeaks * Cost_LowConfidentialityLeak;
  

The number of leaked confidential documents is the product of the number of leaked documents multiplied by the ratio of confidential documents leaked.

      
Nbr_HighConfidentialityLeaks = Nbr_LeakedDoc * Ratio_HighConfientialityDocs;
Nbr_MediumConfidentialityLeaks = Nbr_LeakedDoc * Ratio_MediumConfientialityDocs;
Nbr_LowConfidentialityLeaks = Nbr_LeakedDoc * Ratio_LowConfientialityDocs;

Each document category is present in uncertain quantity and has uncertain cost of disclosure:

Ratio_HighConfidentialityDocs = uniform(0.5%, 2%);
Ratio_MediumConfidentialityDocs =uniform(4%, 10%);
Ratio_LowConfidentialityDocs = uniform(30%, 60%);
    
Cost_HighConfidentialityLeak = normalCI(0.5*10^6, 5*10^6);
Cost_MediumConfidentialityLeak = normalCI(10^4, 5*10^4);
Cost_LowConfidentialityLeak = normalCI(10^2, 10^4);

Modelling Documents Leaks

Documents can be leaked by insiders or stolen by outsiders who managed to gain access to the building.

Nbr_LeakedDoc = 
        Nbr_DocsLeakedByInsiders + Nbr_DocsStolenByOutsiders
                        

Modelling Insiders' Leaks

The number of documents leaked by an insider is a function of the probability of an insider leak, Probability_InsidersLeak , the number of documents on shared drive, Nbr_DocsOnSharedDrive and the SharedDriveLeakRange, which is the portion of documents on the shared drive that are leaked by insider when a leaks occurs.

Nbr_DocsLeakedByInsiders = 
       Probability_InsidersLeak * 
       Nbr_DocsOnSharedDrive * 
       SharedDriveLeakRange;
       
Probability_InsidersLeak = deterministic(10^-3);
SharedDriveLeakRange = triangular(10%, 50%, 100%);

Modelling Attackers' Intrusions

The attackers’ intrusion model attempts to predict the number of documents stolen by outsiders over a year based on whether or not the building security gates are guarded or not. The number of documents stolen over a year depends on the number of intrusions during the year and the number of documents stolen during each intrusion, which depends on the number of external media in use and the number of documents stored in each media.

Nbr_DocsStolenByOutsiders = 
        Nbr_OfficeIntrustions
        * Nbr_DocsStolenPerIntrusion;
        
Nbr_OfficeIntrusions = decision("Building entry security"){
        "not guarded"   : triangular(0, 3, 6);
        "guarded"       : triangular(0, 1, 2);
}

Nbr_DocsStolenPerIntrusion = 
        Nbr_ExternalMediaStolenPerIntrusion *
        Nbr_DocsPerExternalMedia
        
Nbr_ExternalMediaStolenPerIntrusion = 
        Nbr_ExternalMediaInUse *
        Percentage_MediaStolenPerInstrusion
                
Percentage_MediaStolenPerInstrusion = 
        triangular(0, 1%, 10%);

Modelling Documents Sharing

The number of documents on the shared drive and on external media depends on the organisation’s document sharing policy:

Nbr_DocsOnSharedDrive = decision("Document Sharing Policy"){
            "Neutral": deterministic(143);
            "Recommend Email":deterministic(44);
            "Recommend External Media": deterministic(91);
} 

Nbr_DocsOnExternalMedia = decision("Document Sharing Policy"){
            "Neutral": deterministic(0);
            "Recommend Email":deterministic(0);
            "Recommend External Media": deterministic(52);
}

Nbr_ExternalMediaInUse = Nbr_DocsOnExternalMedia / Nbr_DocsPerMedia;

Nbr_DocsPerMedia = triangular(0, 5, 10) ;

    

Data about the number of documents on shared drive and on external media come from Table 1 in [2], and the AND/OR graph for the cost of disclosue is shown in figure 1.

Figure 1: Cost of Disclosure AND/OR Graph

Analysis Results

Optimisation Analysis

Here is a summary of the modelling and analysis information:

The model analysis generates the following solutions:

Figure 4: Building Security Policy model pareto front

These results show that the two shortlisted solutions (those that are Pareto optimal) include recommend email as document sharing policy. This means that, in our model, the option share documents by email outperforms both the neutral and external media in both objectives.

When the recommend email option is selected, the shortlist includes both the guard and not guarded options of the building entry security decision; each combination representing a different tradeoffs between minimising the expected cost of disclose, ExpectedCostOfDisclosures and minising the risk of catastrophic disclosure, RiskOfCatastrophicDisclosures..

To visualise such tradeoffs, RADAR generates the graph in Fig. 4 plotting the objective values for the shortlised solutions (shown squares at the top of the graph) and all other non shortlisted ones (shown as circles).

Information Value Analysis

Analysing information value gives the following results that show that the information value for all model parameters is very low:

EVTPI = 0

References

1. Saheed A. Busari and Emmanuel Letier, "RADAR: A lightweight tool for requirements and architecture decision analysis," in submission, August 2016

2. T. Caulfield and D. Pym, “Improving Security Policy Decisions with Models, in IEEE Security & Privacy, vol. 13, no. 5, pp. 34-41, Sept.-Oct. 2015.

3. T. Caulfield and D. Pym, “Modelling and simulating systems security policy, in Poc. of the 8th International Conference on Simulation Tools and Techniques (SIMUTools '15), pp. 9-18, Brussels, Belgium, 2015.