Systematic Decision Making in Security Management: Modelling Password Usage and Support

David J. Pym

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.
Original languageEnglish
Title of host publicationProceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.
Number of pages12
Publication statusPublished - 2012
EventQASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS - Pisa, Italy
Duration: 14 Sep 2012 → …

Conference

ConferenceQASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS
CountryItaly
CityPisa
Period14/09/12 → …

Fingerprint

Decision making
Security management
Modeling
Optimal policy
Trade-offs
Empirical data
Factors
Breach
Initial conditions
Methodology
Policy options
System model
Productivity
Simulation

Cite this

Pym, D. J. (2012). Systematic Decision Making in Security Management: Modelling Password Usage and Support. In Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.

Systematic Decision Making in Security Management: Modelling Password Usage and Support. / Pym, David J.

Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. 2012.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Pym, DJ 2012, Systematic Decision Making in Security Management: Modelling Password Usage and Support. in Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS, Pisa, Italy, 14/09/12.
Pym DJ. Systematic Decision Making in Security Management: Modelling Password Usage and Support. In Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. 2012
Pym, David J. / Systematic Decision Making in Security Management: Modelling Password Usage and Support. Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. 2012.
@inproceedings{608bd3d1905f4b6592f550576671c471,
title = "Systematic Decision Making in Security Management: Modelling Password Usage and Support",
abstract = "We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.",
author = "Pym, {David J.}",
year = "2012",
language = "English",
booktitle = "Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.",

}

TY - GEN

T1 - Systematic Decision Making in Security Management: Modelling Password Usage and Support

AU - Pym, David J.

PY - 2012

Y1 - 2012

N2 - We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

AB - We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

M3 - Conference contribution

BT - Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.

ER -