On Tools for Socio-Technical Security Analysis

Many systems are hacked daily and apparently without much effort (e.g., see [1]). This happens because hackers prefer not to break security mechanisms immediately, but rather to target unguarded components first. Such components, e.g., users and human-computer ceremonies [2], are hacked by exploiting cognitive features (e.g., trust) and people’s dismay with ill-designed interfaces. These user-related components are often ignored in traditional security analysis. Thus, it should not surprise that systems proved secure may fail especially when they run in different contexts from those wherein they have been proven secure. We are interested to define a framework where to model and analyse a system’s social and technical components. We describe here a variant of Bella et al.’s model [3]. Therein Alice and Bob are not metaphors for communicating processes, but personae linked a set of interaction layers (see Fig. 1 and its caption) that connect humans and computers and, via the network, them with other computers and users. On top of this model we define an intruder. It controls the network, as in classical Dolev-Yao [4], and also the application, the user interfaces, and the context. When using its full power the intruder can influence the components and the user behaviour, and so security depends on what happens across all layers: the analysis of security results richer, and we talk of sociotechnical security analysis. Studying socio-technical security compels us to revise traditional analysis techniques. Depending on the focus of the analysis, in fact, we may need different methodologies and tools. An analysis focusing more on the technical side (communicating processes, applications and interfaces) and with attackers controlling the networks and/or the interfaces, requires tools to reason about the behaviour of software components. An analysis addressing more the social side (persona and user behaviour) requires to observe and reason about users interacting with the system, so a research methodology proper of social and cognitive sciences. In the sequel, we comment on methodologies and tools that we evaluated and selected in two experiments concerning socio-technical understanding of the security of TLS certificate validation. We have successfully applied formal methods (model checking) when considering layers “network”