An official website of the United States government
Cyber physical system (CPS) Critical infrastructures (CIs) like the power and energy systems are increasingly becoming vulnerable to cyber attacks. Mitigating cyber risks in CIs is one of the key objectives of the design and maintenance of these systems. These CPS CIs commonly use legacy devices for remote monitoring and control where complete upgrades are uneconomical and infeasible. Therefore, risk assessment plays an important role in systematically enumerating and selectively securing vulnerable or high-risk assets through optimal investments in the cybersecurity of the CPS CIs. In this paper, we propose a CPS CI security framework and software tool, CySec Game, to be used by the CI industry and academic researchers to assess cyber risks and to optimally allocate cybersecurity investments to mitigate the risks. This framework uses attack tree, attack-defense tree, and game theory algorithms to identify high-risk targets and suggest optimal investments to mitigate the identified risks. We evaluate the efficacy of the framework using the tool by implementing a smart grid case study that shows accurate analysis and feasible implementation of the framework and the tool in this CPS CI environment.
more »
« less
Identifying and Addressing Risks in the Early Design of a Sociotechnical System through Premortem
Anticipating risks in software development is always challenging, but particularly so when the software application is part of a novel sociotechnical system with various human and physical components. Our interdisciplinary team of software engineering and human factors researchers is designing such a system. In order to identify and mitigate the risks latent in this previously unexplored space, we have used the premortem method at an early stage in system design. In the premortem, the team ideated failure scenarios across the range of system use, then collaborated on ways to eliminate, mitigate, or monitor the risks of these failures. We have found the premortem method valuable in recognizing and mitigating previously unanticipated risks and in enriching team communication.
more »
« less
- Award ID(s):
- 2122034
- PAR ID:
- 10435109
- Date Published:
- Journal Name:
- Proceedings of the Human Factors and Ergonomics Society Annual Meeting
- Volume:
- 66
- Issue:
- 1
- ISSN:
- 2169-5067
- Page Range / eLocation ID:
- 1514 to 1518
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
This research investigates U.S. parents’ responses to the rapidly changing, novel environment of the internet, applying evolutionary theory and interdisciplinary methodologies. Novel environments pose potential challenges to existing adaptive strategies, so this research investigates important questions about how parents and children perceive the risks of children’s entry into the virtual world and how they mitigate potential risks. The research focuses on parents of children in middle childhood (children ages 6–12), a significant period in human life history when children start building relationships outside the family. We utilize in-depth interviews (n = 26), cultural domain analysis (n = 32), surveys (n = 199), and participatory co-design (n = 34) to synergize theoretical concepts in evolutionary anthropology with the applied research focus of human–computer interaction. Cultural domain maps and interview results identify and classify perceptions of costs, benefits, and risks, including intrinsic and extrinsic sources of risk and risk tangibility. Survey results further identify platforms and risks of highest priority and confirm parental interest in new kinds of tools for managing the digital experiences of their children. Life history theory informs our approach to the development of parental control software that favors skill building and encourages parent–child discussions supporting child executive function and resilience to risks.more » « less
-
null (Ed.)Universities have been forced to rely on remote educational technology to facilitate the rapid shift to online learning. In doing so, they acquire new risks of security vulnerabilities and privacy violations. To help universities navigate this landscape, we develop a model that describes the actors, incentives, and risks, informed by surveying 105 educators and 10 administrators. Next, we develop a methodology for administrators to assess security and privacy risks of these products. We then conduct a privacy and security analysis of 23 popular platforms using a combination of sociological analyses of privacy policies and 129 state laws, alongside a technical assessment of platform software. Based on our findings, we develop recommendations for universities to mitigate the risks to their stakeholders.more » « less
-
Creativity focuses on the generation of novel and useful ideas. In this paper, we propose an approach to automatically generating creative requirements candidates via the adversarial examples resulted from applying small changes (perturbations) to the original requirements descriptions. We present an architecture where the perturbator and the classifier positively influence each other. Meanwhile, we ensure that each adversarial example is uniquely traceable to an existing feature of the software, instrumenting explainability. Our experimental evaluation of six datasets shows that around 20% adversarial shift rate is achievable. In addition, a human subject study demonstrates our results are more clear, novel, and useful than the requirements candidates outputted from a state-of-the-art machine learning method. To connect the creative requirements closer with software development, we collaborate with a software development team and show how our results can support behavior-driven development for a web app built by the team.more » « less
-
The security threats to mobile application are growing explosively. Mobile app flaws and security defects could open doors for hackers to easily attack mobile apps. Secure software development must be addressed earlier in the development life cycle rather than fixing the security holes after attacking. Early eliminating against possible security vulnerability will help us increase the security of software and mitigate the consequence of damages of data loss caused by potential malicious attacking. In this paper, we present a static security analysis approach with open source FindSecurityBugs plugin for Android Studio IDE. We demonstrate that integration of the plugin enables developers secure mobile application and mitigating security risks during implementation time in Android Studio IDE. We demonstrate that integration of the plugin enables developers secure mobile application and mitigating security risks during implementation time. Secure software development must be addressed earlier in the development lifecycle rather than fixing the security holes after attacking. Early eliminating against possible security vulnerability will help us increase the security of software and mitigate the consequence of damages of data loss caused by potential malicious attacking. In this paper, we present a static security analysis approach with open source FindSecurityBugs plugin for Android Studio IDE. We demonstrate that integration of the plugin enables developers secure mobile application and mitigating security risks during implementation time.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- https://doi.org/10.1177/1071181322661307
