Security & Privacy

Information Security/Privacy Behavior

The fundamental premise of the research is that information security is not entirely a technology problem, but rather, a linked problem of human behavior and technology. We have several current projects in the area and a team of behavioral scientists and security researchers. One of the projects deals with understanding security perceptions of users across different demographics. Our contention is that there are vast differences in user perception of information security based on organizational culture, personal goals, and awareness. We compare different demographics to understand why user response is varied considerably in compliance with security guidelines. In a second study, we examine what psychological traits or users that make them vulnerable to phishing scams. We divide a large population based on demographic features and test their vulnerability to phishing using carefully crafted messages. This is a series of ongoing experiments that we are conducting with the eventual goal of focused educational campaigns based on demographics.

There are two doctoral students who are working on this stream of research i.e., Damira Pon and Ersin Dincelli. Damira's research takes the research to the next level from just understanding the security perceptions of different demographics and is focused on influencing security behavior of users to improve security. Ersin's research involves investigating the differences in privacy behavior of social network users based on values imbued into the users based on cultural influence.

Innovative Education and Pedagogy

Cyber security and digital forensics educational research remains a bedrock of the research stream established by Prof. Goel and his team. The initial work focused on development and dissemination of information security education based on a "teaching hospital" concept. The model envisages real information security problems from industry and government solved and abstracted into living-cases used for training and education of university students and public-sector employees. We have built strong partnerships with government and private organizations that have security issues so that a rich set of cases is constantly introduced into the hospital. The new research stream is focused on developing innovative learning models for security and forensics education. We are developing a collaborative international learning program with bi-lingual education in English and Russian with the Baumann Moscow State Technical University. We are also engaged in developing a flipped classroom model for curriculum delivery based on a grant from the National Science Foundation. We are also working with commercial vendors to create sophisticated forensics and security laboratories to improve the quality of online security education. We have received several grants from National Science Foundation, U.S. Department of Education and New York State to develop teaching labs and innovate in education.

Security Models

Research on security models and building up on expertise gained previously in developing security models inspired by biological systems, i.e. immune systems, epidemiological models, and protein pathway mapping. We are also developing qualitative and quantitative risk models for organizations to understand and manage security risks. We have worked with NY State and General Electric to evaluate our risk methodologies.

Biological Models

As the mean time to attacks decreases, there is very little time for organizations to react to throttle the propagation of attacks and protect information systems. The primary purpose of this work is to develop organic, in-line, self-organized autonomous systems that can automatically detect pathogens propagating on the network and then neutralize them to prevent their further propagation. Nature has provided several instances of such systems such as the human immune system, protein metabolism, and the functioning of the genetic operators in the human body. This work involves investigation of novel architectures inspired by biological paradigms for developing security systems. There are several streams of research under this theme:

Immune System Architecture: In this research, a simulation for a two-level computer immune system has been developed that controls the entry of pathogens into a node at the entry-level and also constantly monitors the file-system for any pathogens being organically generated or slipping through the perimeter defense. A simulation model is being developed to simulate this two-level immune system using RePast (an agent based simulation language). In this simulation, several agent populations are generated and the different detectors and packets (or files) randomly interact with each other, packets (or files) are tested for infection, and infected packets of files are destroyed). New packets are constantly generated (some infected) and files (infected and non-infected) randomly execute leading to propagation of viruses.

Collective Network Defense: Reactive security systems, based on immunological models, though conceptually elegant, have failed to make serious inroads into commercial security systems. In order to offer credible defense against invasion, these systems require a large number of detectors with rich representation schemes that can capture the precise signatures of pathogens. The computational complexity of these systems is very high, which makes them infeasible to deploy on all network nodes. In order to make such reactive systems practical, multiple network nodes must work synergistically and share computational burden by partitioning the detector space to present a collective defense against intrusions. The research presents a collective defense scheme based on immunological models in which network nodes synergistically work to intercept and neutralize pathogens in computer networks. An analytic model and a simulation based on RePast are being developed to demonstrate the collective defense concept.

Protein Pathway Mapping: There is a gap between the immunological micro-level and epidemiological macro-level models of computer security. These models of computer security, based on biological paradigms of immune systems and the epidemiological spread of diseases, have been developed in isolation from each other. The immune systems have typically operated on individual network nodes whereas the epidemiological models are based on aggregate statistical values from network attack propagation. As a result, we are lacking a unified analytical framework that models the propagation of the attacks at the network level. Lack of a unified analytical framework and the inability to develop rigorous information assurance metrics has impeded the advancement of security research. In this research, we are developing a network security paradigm based on protein pathway mapping that models the network behavior especially during propagation of attacks and bridges this gap between the macro-level and micro-level models. This model incorporates concepts from Information Theory, Machine Learning, and Biological Protein Pathways to create an organic view of information assurance.

Risk Models

Private and public institutions depend on the use of networked information systems for their critical activities. Examples are e-commerce, transportation, power generation, hospitals, and law enforcement. Organizations and the public alike are concerned about the security of data and services. Various measures of control are available for improving security, even though it is often unclear which ones are appropriate under what circumstances. This research involves developing models and collecting data for accurate information security risk analysis in various organizations.

Qualitative Risk Analysis: In this work, an easy-to-use risk analysis methodology has been developed that brings transparency to the risk analysis process. The methodology involves financial analysis based on expected threats and vulnerabilities and on the value of the assets that must be protected and the cost of the controls that must be implemented. The methodology allows the organizations to work with partial data and then gradually refine the analysis by adding more data as it becomes available. It also enables organizations to compare their risk posture with other organizations and to determine suitable controls required to improve security. The methodology is investigated at General Electric Energy, a global engineering and manufacturing organization with elaborate information technology requirements and security concerns. This study provides templates that are simple to understand and easy to implement. The approach fits well with the company's philosophy of metrics based analysis using Six Sigma methodology. To obtain the data for the analysis, cross-disciplinary teams from legal, engineering, security, and information management divisions are employed to rate and rank different threats, vulnerabilities and controls and establish the associations between them. The results from the analysis are presented as a set of three matrices, namely, vulnerability matrix, threat matrix, and control matrix. Aggregate data from one matrix is cascaded into the next one such that in the final matrix, the relative importance of the controls is obtained to facilitate development of a control plan in the organization.

Quantitative: In this model, qualitative analysis is used to identify critical vulnerabilities, threats, and assets and a quantitative analysis is used to compute a precise value of security risk. Risks from individual sources are aggregated in order to get an overall measure for risk so that risk can be tracked over time. An aggregate measure needs to be reversible so that different risk factors can be isolated. The model evaluates the risk and incorporates uncertainties into the analysis. One of the key outcomes of this work will be classification of vulnerabilities, threats, assets, and controls by industry sectors, including government agencies. The work uses a novel approach based on Kolmogorov Complexity metrics of software and networks to estimate the vulnerabilities in an organization.

Security Policies

Security Policy Metrics: Security policies, if properly constructed and rigorously implemented, can eliminate a large fraction of attacks. However, in spite of the emphasis on organizational security and enforcement of security policies, various statistics show that security is continuously deteriorating. This investigation will study the differences in the organizations based on three factors: 1) content of security policies, 2) interpretation of security policies, and 3) implementation of security policies. This research will determine the differences in organizational cultures and other factors, which make security policy implementation more effective. Our initial work will involve development of metrics for characterizing security policies such that the metrics can be used to ensure that security policies are aligned with the organizational goals. This research will also consider the influence of the organizational factors (e.g. culture, values, and people) on the policy lifecycle.
figura reserach

Figure 1. Measurement model.

Related Publications

  1. Goel, S., Williams, K. & Dincelli, E. "Got Phished Lately: Why Humans Cannot Stop Themselves from being Phished?" Submitted to the Journal of the AIS. (W)
  2. Warkentin, M., Goel, S. & Menard, P. "Consumer Acceptance of Smart Metering Technology." Submitted to the Journal of the AIS. (W)
  3. Goel, S., Williams, K. & Warkentin, M. "Is Implementing Information Security a Fool's Errand? Understanding the Impact of Human Risk Perceptions on Security Policy Compliance." Targeted for submission to Information Systems Research Journal. (W)
  4. Dincelli, E., Goel, S. & Williams, K. "Impact of Culture on Security and Privacy Behavior of Social Media Users." Targeted to Communications of the AIS. (W)
  5. Goel, S., & Pon, D. (2005). An Innovative Model for Information Assurance Curriculum: A Teaching Hospital. Accepted for publication September 2005 in the ACM Journal on Educational Resources in Computing, Special Issue on Support for the Computer Security Curriculum. (J)
  6. Goel, S., & Pon, D. (2005). Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital. Accepted for publication in N. Sarkar (Ed.), Tools for Teaching Computer Networking and Hardware Concepts. (B)
  7. Goel, S., & Pon, D. (2005). An Innovative Model for Information Assurance Curriculum: A Teaching Hospital. Accepted for publication May 2005 in the Proceedings of the Information Resource Management Association (IRMA) International Conference, San Diego, CA. (C)
  8. Goel, S., & Bush, S.F. (2005). Biological Models of Security in Computer Networks Based on Cellular Mechanisms. Accepted for publication 2005 in ;login: (J)
  9. Goel, S., & Lessner, L. (2005). Epidemiological Models for Computer Virus Spread. Accepted in the Proceedings of the American Statistical Association Conference. (C)
  10. Goel, S., & Bush, S.F. (December 2004). Biological Models of Security for Virus Propagation in Computer Networks. ;login:, 29(6), 49-56. (J)
  11. Goel, S., & Bush, S. F., (2003). Kolmogorov Complexity Estimates for Detection of Viruses in Biologically Inspired Security Systems: A Comparison with Traditional Approaches. Complexity Journal 9(2), 54-73. (J)
  12. Goel, S., & Bush, S. F., (2003). Kolmogorov Complexity Estimates for Detection of Viruses in Biologically Inspired Security Systems: A Comparison with Traditional Approaches. Complexity Journal 9(2), 54-73. (J)
  13. Goel, S. & Chengalur-Smith, I-N. (2010, Dec.). Metrics for Characterizing the Form of Security Policies. Journal of Strategic Information Systems, 19(4), 281-295. (J)
  14. Goel, S., Pon, D., & Menzies, J. (2006). Managing Information Security: Demystifying the Audit Process for Security Officers. Journal on Information Systems Security (JISSEC), 2(2), 25-45. (J)