Systematic Decision Making in Security Management: Modelling Password Usage and Support

David J. Pym

Systematic Decision Making in Security Management: Modelling Password Usage and Support

David J. Pym

Computing Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

Original language	English
Title of host publication	Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.
Number of pages	12
Publication status	Published - 2012
Event	QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS - Pisa, Italy Duration: 14 Sep 2012 → …

Conference

Conference	QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS
Country	Italy
City	Pisa
Period	14/09/12 → …

Fingerprint

Decision making

Security management

Modeling

Optimal policy

Trade-offs

Empirical data

Factors

Breach

Initial conditions

Methodology

Policy options

System model

Productivity

Simulation

Cite this

Pym, D. J. (2012). Systematic Decision Making in Security Management: Modelling Password Usage and Support. In Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.

Systematic Decision Making in Security Management: Modelling Password Usage and Support. / Pym, David J.

Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. 2012.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Pym, DJ 2012, Systematic Decision Making in Security Management: Modelling Password Usage and Support. in Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. QASA 2012 International Workshop on Quantitative Aspects in Security Assurance: Affiliated workshop with ESORICS, Pisa, Italy, 14/09/12.

Pym DJ. Systematic Decision Making in Security Management: Modelling Password Usage and Support. In Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. 2012

Pym, David J. / Systematic Decision Making in Security Management: Modelling Password Usage and Support. Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.. 2012.

@inproceedings{608bd3d1905f4b6592f550576671c471,

title = "Systematic Decision Making in Security Management: Modelling Password Usage and Support",

abstract = "We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.",

author = "Pym, {David J.}",

year = "2012",

language = "English",

booktitle = "Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.",

}

TY - GEN

T1 - Systematic Decision Making in Security Management: Modelling Password Usage and Support

AU - Pym, David J.

PY - 2012

Y1 - 2012

N2 - We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

AB - We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded in empirical data, to compare, using simulations, two different policy options. The problem is framed economically, with the basis of the comparison being a notion of organizational utility. We quantify utility in this case by considering breaches of system security, users' productivity, and investment in support operations. Using our results, we are able to explore trade-offs between these factors and thus determine the optimal policy configuration given the initial conditions.

M3 - Conference contribution

BT - Proceedings of the International Workshop on Quantitative Aspects in Security Assurance (QASA 2012): Affiliated Workshop of ESORICS 2012.

ER -