Workshop on Risk Assessment for Socio-Technical Systems
to be held in conjunction with the ARES EU Projects Symposium 2016, held at the 11th International Conference on Availability, Reliability and Security (ARES 2016 – http://www.ares-conference.eu)
August 31 – September 2, 2016
Attacks on organisations are no longer purely technical. Attacks like StuxNet involve technical and human factors, and they damage physical infrastructure. The recent attack on a German steel mill was a combination of both targeted phishing emails and social engineering attacks. The phishing helped the hackers extract information they used to gain access to the plant’s office network and then its production systems. As a result, the technical infrastructure of the mill suffered severe damage.
The attack on the German steel mill illustrates that we need to integrate the social and technical aspects of systems in assessing their security – and we need to do so today. Socio-technical systems pose new challenges by combining parts for which we often understand the security issues; the combined system is however much more complex due to interactions between these parts.
This new class of attacks cleverly exploits multiple organisational vulnerabilities, involving physical security and human behaviour. Defenders need to make rapid decisions regarding which attacks to block, as both infrastructure and attacker knowledge change rapidly. Emerging security risks demand tool support to predict, prioritise, and prevent complex attacks systematically.
This workshop will address recent advances in risk analysis for socio-technical systems. The research presented builds upon results from technical and social sciences, combining them for a better understanding of vulnerabilities of organisations as a whole, and supporting defenders in deciding where to invest resources for protection.
The discussed challenges and presented findings are at the core of the TRESPASS project, which has developed the “attack navigator”. The attack navigator identifies possible attack opportunities, ranks them by urgency, and suggests countermeasures. The project has also developed novel physical modeling tools to build maps for the navigator, and to identify relevant elements of an organization.
During the workshop we will discuss topics relevant for risk assessment of socio-technical systems and advances in the field. The workshop will be highly interactive, providing ample opportunity for interaction with project members and discussions around the project results and tools.
Christian W. Probst
Technical University of Denmark, DK