TREsPASS co-organises Dagstuhl Seminar on Socio-Technical Security Metrics

The TREsPASS consortium co-organises the Dagstuhl seminar 14491 on socio-technical security metrics from November 30 to December 5, 2014.
Safety metrics inform many decisions, from the height of new dikes to the design of nuclear plants. We can state, for example, that the dikes should be high enough to guarantee that a particular area will flood at most once every 1000 years. Even when considering the limitations of such numbers, they are useful in guiding policy.
Metrics for the security of information systems have not reached the same maturity level. This is partly due to the nature of security risk, in which an adaptive attacker rather than nature causes the threat events. Moreover, whereas the human factor may complicate safety and security procedures alike, in security this "weakest link" may be actively exploited by an attacker, such as in phishing or social engineering. In order to measure security, one therefore needs to compare online hacking against such social manipulations, since the attacker may simply take the easiest path. In addition, countermeasures may impact usability and productivity, and lead to workarounds rather than more secure systems. Therefore, defining information security metrics requires close cooperation between different fields of science and practice.
The Dagstuhl Seminar on socio-technical security metrics brings together computer scientists, behavioural scientists, economists, risk managers and consultants, in search for suitable metrics that allow us to estimate information security risk in a socio-technical setting, as well as the costs and effectiveness of countermeasures. In particular, we study the risk metrics in the context of recent developments, where information systems move to the cloud and access moves to personal devices such as smartphones.