Information Security and Risk Management: Trustworthiness and Human Interaction

As digital information has come to underpin the majority of modern systems in almost all domains (e.g. business, finance, government, education, health, third sector), increasingly sophisticated cybersecurity attacks have become an unavoidable reality of modern life. In the face of this, regulation and best practice are increasing moving from simplistic security control tick-lists towards risk management frameworks (such as recommended in the EU's GDPR and NIS directive and described in standards such as ISO 27005). Consequently, it is highly relevant for students, practitioners, and researchers alike to understand risk management, systems modelling, attack paths, and human interactions and risks in order to understand the central value and importance of cybersecurity risk management in supporting trustworthiness in information systems. As part of the H2020 CyberKit4SME project, this interactive, hands-on tutorial will explore state-of-the-art approaches to trustworthy cybersecurity risk management that is able to effectively and sufficiently account for the risks that humans introduce into any information system [1]. After establishing the basic concepts around cybersecurity, trustworthiness, system modelling, risk management and socio-technical theory, an exploration of the importance and role of visualised attack paths in providing easily understood risks, thereby ensuring intelligent risk management tools do not become `black boxes' to their users, will be undertaken. Alongside this, how attack paths help support human decision-making by pinpointing the most effective risk mitigation strategies will be investigated. In addition, the tutorial will explore human interaction flows and how they can combine with attack paths to empower comprehensive cybersecurity risk assessments and help guide holistic mitigations. In the final part of the tutorial, there will be an opportunity to get practical experience of modelling an information system and identifying and mitigating the cybersecurity risks to it using two tools: the System Security Modeller [2, 3] (University of Southampton) and the Human and Organisational Risk Modelling framework (SINTEF) which is derived from the Customer Journey Modelling Language [4, 5] (CJML).