- Traditional cybersecurity risk assessment is reactive and based on business risk assessment approach. The 2014 NIST Cybersecurity Framework provides businesses with an organizational tool to catalog cybersecurity efforts and areas that need additional support. As part of an on-going effort to develop a holistic, predictive cyber security risk assessment model, the characterization of human factors, which includes human behavior, is needed to understand how the actions of users, defenders (IT personnel), and attackers affect cybersecurity risk. Trust has been found to be a crucial element affecting an individual's role within a cyber system. The use of trust as a human factor in holistic cybersecurity risk assessment relies on an understanding how differing mental models, risk postures, and social biases impact the level trust given to an individual and the biases affecting the ability to give said trust. The Human Factors Ontology illustrates the individual characteristics, situational characteristics, and relationships that influence the trust given to an individual. Furthering the incorporation of ontologies into the science of cybersecurity will help decision-makers build the foundation needed for predictive and quantitative risk assessments.
I. INTRODUCTION A. The Holistic Cybersecurity Risk Framework
The science of cybersecurity risk assessment has been
reactive, narrow in focus, and based on a business risk
assessment approach. More recently, the National Institute
of Science and Technology (NIST) responded to the 2013
“Improving Critical Infrastructure Cybersecurity” Executive
Order with the development of the 2014 NIST
Cybersecurity Framework [
To go beyond the current risk framework promulgated
by NIST [
First, when considering CIA, the actual measurement or evaluation of these vulnerabilities will depend on the situation being modeled. Situations requiring cybersecurity risk assessment can include baseline assessments of network protection, but must also include situations in which the network is being used actively. The actual metrics for, say, protection of an SQL database containing personal information (social security numbers, for example) may be very different than the metrics needed to be assessed when evaluating risk related to a field operation using radios, walkie talkies or cell phones to convey information.
Second, other variables beyond CIA may be the relevant risk variables that need to be analyzed in a risk model. Take, for example, a situation in which information being used, generated in, or relayed by one network needs to be received in a specific time window either for another operation to begin or so that the information can be used maybe by the human who will receive the information. Within a military or other time critical context, the evaluation goes beyond time to access information; it must include time to act on the accessed information and can include time for completion of actions within a critical time window. In this example, time to completion of a task is the critical metric that must be tracked, and so must be incorporated into the risk model.
Third, humans are a part of virtually all networks, whether as users, defenders (and IT personnel) or attackers. All humans can introduce risk into the network, not just attackers, a consideration acknowledged when users are asked how they use the system (and system components) as part of the NIST risk management and risk assessment process. Defenders or IT personnel can also increase cyber risk if they are, for example, less skilled, or tired, or inside threats. Humans can also reduce risk in a cybersecurity system. Defenders put in place baseline protections, and then track attacks on the system to assess whether the protections have been breached and what needs to be done to increase system hardening (protections), counteract malware that may have introduced access to the system (or otherwise compromised the system and system assets), and repair damage to the system. Users can decrease risk by being aware of (and not being hooked by) spam or phishing efforts, ensuring their personal system assets are appropriately protected, and by not downloading infected files or accessing malware-linked websites. Therefore, human-dependent metrics must be included in a holistic risk analysis of cyber security.
A fully predictive cyber security risk assessment model will take into account humans as risk factors, and as risk mitigators, and will enable the incorporation of metrics that go beyond the classic CIA vulnerabilities. In order to develop such a model, we have been characterizing the universe of cybersecurity by framing the characteristics, attributes and, ultimately, metrics that can be use to describe the risks associated with any cyber network. The framework has multiple pieces, and metrics that are assessed at different levels.
Three main parts to the Cybersecurity Risk Framework
identifies system level metrics, policy related metrics, and
asset related metrics. System level metrics are evaluated at
the full system level, such as probability of completion of a
mission or a system level task. Policy level metrics evaluate
the risks associated with the policies that govern the
network and network assets. Asset level metrics are
evaluated at the asset level, such as metrics to assess risks
associated with specific machines, a virtual network, or an
operating system. One piece of the asset level framework
characterizes the Human Factors that introduce or mitigate
risk in a cyber network [
A recent report on quantification of cyber threats
highlights the intrinsic complexity of the cyber domain [
Little effort has been put into this standardization
process. For instance, Fenz and Ekelhart propose an ontology
based on four parts, i.e. security and dependability
taxonomy, the underlying risk analysis methodology, the
concepts of the IT infrastructure domain and a simulation
enabling enterprises to analyze various policy scenarios [
The most popular modeling solution in risk-related ontology research seems to be the reification of riskassessment and threat-quantification into the process of ‘rating’, whose attributes are expressed either qualitatively (e.g., by means of high, medium and low dimensions in the Likert scale) or quantitatively (measuring the probability of a risk). Note that in ontology modeling, reification of properties is commonly adopted as a method to bypass language expressivity limits: in RDF, for instance, a relation with arity n > 2 can be represented with a statement about those n entities. Thus, for instance, we could represent the fact that a set of n cyber vulnerabilities exposes a system to a certain risk factor, by asserting a risk-rating statement about those known n vulnerabilities [8]. An alternative approach comes from Enterprise Risk Management (ERM), an area that concerns the identification, assessment and mitigation of operational risk: for instance, Lykourentzou and colleagues focus on seven subclasses of events, i.e. ‘Failure’, ‘Infrastructure disruption’, ‘Occupational incident’, ‘Fraud’, ‘Disaster’, ‘Attack’, binding each of these event types to a wide spectrum of ‘Root causes’ and ‘Treatment plans’ to address risk factors [9]. ERM’s approaches can be effective not only to identify risk-related event patterns, but also to elicit the behavioral patterns in the adoption of risk management practices. In this context, ontologies supply an axiomatic infrastructure to mental models of risk-related patterns.
The rest of the paper is organized as follows: Section II makes the case for a holistic approach to risk in cyber security, introducing the role of trust ontologies; Section III focuses on the Human Factors Ontology (HUFO); finally, Section IV draws preliminary conclusions and sets an agenda for future research.
II. RELATED WORK
The U.S faces cyber attacks by rogue states and terrorist organizations on a daily basis. While greatly increased use of information systems has contributed enormously to economic growth, it has also made the U.S. vulnerable to a variety of cyber threats that are difficult to contrast and prevent. There are numerous factors that make cyber defense, and cyber security in general, especially problematic. The kinds of threats are diverse and span a wide spectrum of private and public interests: destruction or theft of data, interference with computer networks and information systems, disruption of the power grid and telecommunications, denial of services, etc. The legal and ethical status of cyber attacks or counterattacks by states are also unclear, at least when deaths or permanent destruction of physical objects does not result. It is still an open question what U.S. policy is or should be, and how cyber threats are analogous to traditional threats and policies—for example whether “first use” deterrence, and in-kind responses apply, and whether a policy of pure cyber defense does not put the far greater burden on attacked rather than attacking nations [10].
As these arguments suggest, untangling the complexity of cyber security does not solely depend on pinning down the computational elements into play, but demands a thorough analysis of the human factors involved. In this regard, cyber security must be studied in the context of “sociotechnical systems” [11], where the interaction between people and technology in workplace is central. Ontology analysis has recently proved to be an effective tool for investigating the defining aspects of that interaction [12].
Informed decisions emerge when a cyber analyst
projects her observations into a broad context that factors in
threat and attack types, space of defensive maneuvers,
system vulnerabilities, risk assessment and mitigation under
time constraints. Obrst and colleagues [
In order to overcome these problems, in the context of the Cyber Collaborative Research Alliance we are developing CRATELO, a three-level modular ontology of cyber security. In the next section we are going to describe the general features of CRATELO, focusing on the Human Factors Trust Ontology module (HUFO).
Ontology-based models of trust have been studied in
various domains [16]. In [17], the authors propose an
intelligent and dynamic Service Level Agreement (SLA)
1 https://cve.mitre.org/
2 https://cwe.mitre.org/
3 https://capec.mitre.org/
based on a probabilistic ontology that detects warnings in a
cloud computing environment. A generic service-oriented
framework of trust ontologies is described in [18]. A trust
ontology aiming at improving the semantic specification of
trust networks in the context of social institutions and
ecosystems is discussed in [
III. THE HUMAN FACTORS TRUST ONTOLOGY
Adopting a standard understanding and definition of
terms and concepts is a foundational requirement for good
cyber security practice, owing to the nature of the space and
the need for rapid, efficient decision-making. Cyber security
is an adversarial space, where defenders must project
possibilities and be ahead of their opposition in order to be
successful. Enacting strategies favors selecting a suitable
course of action in minimal time over exhaustively
searching [
Through processing of data, defenders can draw
conclusions and decide how to respond to evolving
scenarios. Implicit within the workload is a desire and
preference for information that can be trusted, a concept that
requires a lot of unpacking to properly understand. In fact,
conceptualizing trust in order to evaluate its role and
presence within a system is itself a difficult problem; there
are literally hundreds of definitions of trust covering
interpersonal trust, trust in automation (system trust), and
human-machine interaction [
Assessing cyber security risks is a multi-component,
multi-tiered problem that involves hardware, software,
environmental, and human factors. Effective and successful
efforts must consider impacts beyond the computer assets
and network, taking a more holistic approach that considers
the users, defenders, and attackers involved [
As part of an ongoing development of holistic cyber
security risk assessment, we have been creating a
framework that enables predictive and proactive defenses
[
Situational Characteristics focus on where in the system/network the individual is positioned and the level of insider access they possess, denoting when this access is authorized or unauthorized. A person’s situational characteristics also influence the knowledge they can access and may influence the attention they bring to a situation. For example, a user who is an executive of a company may have significant authorized access to assets but lack the same level of attentiveness to security concerns and information that a network analyst possesses. Knowledge and skill characteristics call to attention the experience, expertise, and situational awareness capabilities of the individual, including demographics such as years working in a position and training as well as their proficiency with relevant tools and techniques. Behavioral Characteristics are split into spaces such as motivation, rationality, malevolence vs. benevolence, and integrity. For example, a defender who is rational, benevolent, and has a record of following through with work and being accountable for his or her responsibilities will likely exhibit persistence in defending assets and building appropriate situational awareness. We have expanded the framework to include traits that influence the behavioral characteristics, including ideology, ethical attributes, risk averseness, and personality traits. Each of these may scale the behavioral characteristics in some fashion or serve as the driving force behind a person’s integrity, benevolence, or rational approach to cyber security situations. Collectively, these characteristics and traits impact the individual’s interactions with mission assets and play a role in determining risk. For example, defender with poor motivation and integrity, insufficient knowledge, and appropriate insider access can present a higher risk, whereas an attacker with high motivation and knowledge despite limited insider access also poses higher risk.
Trust also comes through across these spaces. The predictability and reliability of an individual generates a sense of trust in his or her actions and creates a reputation for that individual. The expertise and knowledge possessed can instill a faith or confidence in the work a defender will do, and users with sufficient integrity will be trusted to follow security policy and not act maliciously within the network. In effect, the human factors of trust directly associates with risk evaluation of cyber situations, and we can explore the relationships across the human factors of cyber security to discover where risk manifests and how trust is generated and influenced. Integrating the human factors framework into a cyber security ontology provides a logical means to explicate relationships both obvious and unintuitive, follow their connections, and evaluate trust’s presence and impact on the risk present within a given network.
B. HUFO and Trust: an overview
HUFO (see Figure 2 above) is part of CRATELO [
The relation holding between the human factors and the
metrics used to assess them is captured by the semantic
characterization of ‘qualities’ and ‘quality spaces’, which
has been originally formulated by [
As mentioned above, ‘predictability’ and ‘reliability’ are conceived in HUFO as components of ‘trust’, a complex factor that is influenced by inherent and external characteristics, in combination with measures of human performance in a given situation. Hence, trust is not only associated to human characteristics, but emerges as an essential aspect of sociotechnical systems: the hybrid nature of trust is particularly evident in the cyber security domain, where a trustworthy interaction with computer network systems is the ‘conditio sine qua non’ for a defender/attacker to accomplish a mission in cyberspace4.
Figure 2 represents an overview of HUFO generated
using OWLGrEd5: the purple links represent subsumption
relationship between classes, whereas the dotted arrows
indicate either the ‘component-of’ or the ‘influenced-by’
property (textual labels in the figure disambiguate the
equivalent graphical notations); classes are depicted as
yellow boxes, instances as green boxes. The object property
‘component of’, holding between attributes and qualities, is
modeled as a generic ‘part-of’ relation [
In this paper we examined the effort of building a human factors ontology (HUFO) as part of a broader ontology of cyber security (CRATELO). In particular, we focused on the notion of trust, showing its ties with the inherent and external characteristics of humans interacting with computer networks. In the long term, we envision to apply HUFO in 4 This is the case, for instance, when a cyber analyst uses a network-based intrusion prevention system (or NIPS) to monitor and protect a given network environment from cyber attacks. 5 http://owlgred.lumii.lv/ support of risk assessment and risk prioritazion in cyber operations.
The semantic model outlined in this paper is only a first, preliminary step in the process of porting a larger model of the cyber security ecosystem into a computational ontology. The holistic nature of our approach makes the task exceptionally challenging and, to the best of our knowledge, uniquely systematic in cyber security research. Despite the complex problems we are trying to solve, we’re also convinced that, in the forward-looking vision of the ARL Cyber Security Collaborative Research Alliance, our approach sets a realistic and crucial milestone toward the foundation of a science of cyber security.
This research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on. International Conference on Information & Communication Technologies: from Theory to Applications., Damascus, 2008. [8] B. McBride, "Jena: Implementing the RDF Model and
Syntax Specification", in SemWeb, Chicago, 2001. [9] I. , Papadaki, K. Lykourentzou and A., Djaghloul, Y., Latour, T., Charalabis, I., Kapetanios, E. Kalliakmanis, "Ontology-based Operational Risk Management", in 13th Conference on Commerce and Enterprise Computing (CEC). [10] R. Dipert, "The Essential Features of an Ontology for Cyber Warfare", in Conflict and Cooperation in Cyberspace: The Challenge to National Security, A. Lowther and P. Yannakogeorgos, Eds.: Air Force Press (by Taylor & Francis), 2013. [11] K. B. De Greene, Sociotechnical systems: factors in analysis, design, and management.: Prentice-Hall, 1973. [12] N. Guarino, E. Bottazzi, R. Ferrario, and G. Sartor, "Open Ontology-Driven Sociotechnical Systems: Transparency as a Key for Business Resiliency", in Information Systems: Crossroads for Organization, Management, Accounting and Engineering, 2012, pp. 535-542. list. [15] Verizon. (2015) Data Breach Investigation Report. [Online]. http://www.verizonenterprise.com/DBIR/2015/?utm_s ource=pr&utm_medium=pr&utm_campaign=dbir201 5 [16] L. Viljanen, "Towards an Ontology of Trust", in Trust, Privacy, and Security in Digital Business. BerlinHeidelberg: Springer-Verlag, 2005, vol. 3592, pp. 175–184. [17] O, Hafid, A. and M.A. Serhani Jules, "Bayesian network, and probabilistic ontology driven trust model for sla management of cloud services", in 3rd IEEE International Conference on Cloud Networking, 2014. [18] E., Dillon, T. S., Hussain, F. Chang, "Trust ontologies for e-service environments", International Journal of Intelligent Systems, vol. 22, pp. 519-545, 2007.