TREsPASS FP7 EU Project
Consult Hyperion researches novel approaches to managing socio-technical risks in a payments environment
Since 2012, Consult Hyperion has been working with partners in the EU-funded FP7 TREsPASS socio-technical risk management project, developing methods and tools to analyse and visualise information security risks and countermeasures in dynamic organisations. This is achieved by combining technical sciences (systems vulnerabilities), social sciences (how likely people are to succumb to social engineering), and state-of-the-art industry processes and tools into a standard framework.
We have worked with project partners to develop a detailed case study combining multi-faceted social risks with technical challenges in a scenario which at first glance is easily understood. However, it has sufficient complexity to support ongoing expansion of approaches and techniques. The theme of customer privacy and financial services enables investigation of risks which are of considerable interest both to industry professionals and to the general public.
The TREsPASS project is a large-scale EU-funded socio-technical risk management research project with seventeen partners from nine different countries across the EU. TREsPASS is developing a suite of decision support tools, to support data collection, risk model development and analysis, as well as visualisation.
Consult Hyperion performs a number of key roles within the TREsPASS consortium: case study development, benchmarking, validation, as well as dissemination and exploitation.
• Customer Privacy Protection (payments) – case study development
For reasons of confidentiality, an anonymised and slightly redacted version of this case study is presented. However, all the important features have been retained.
The case study concerns a system supporting primarily elderly and disabled people in performing online payments and managing their own money from home. With the target demographic in mind, the system should be integrated into an existing device that is familiar and easy to use for the intended user groups, namely the television set. In practice this is accomplished by hooking up a small, dedicated computer to the TV and an enhanced remote control with a built-in card reader for authentication. In this case study there are many different security aspects to be considered: from the strictly technical, such as how information is protected while stored or transmitted, to the socio-technical, covering security issues arising from the use of and interaction with the technology.
The design is intended to be simple and offer the means for people of all ages and abilities to access the services they require. Although this system could offer great convenience, it also has the potential to expose the account holder to significant social risks, particularly those stemming from the involvement of both professional carers and family members. These carers could be considered as knowledge insiders, with the potential to act as malicious insiders.
This case study has been used in many different contexts: initially as a means of evaluating Consult Hyperion’s own SRA process, both as practised by us and as practised by our project partners. This highlighted the strengths of the process, but also the importance of substantial background knowledge in the technology areas concerned. Over the first two years of the project, the case study has formed a focus for integrating the different processes being developed within the project, such as modelling and statistical analysis based on formal methods.
Technical data collection was based on analysis of architectural models, hardware and software vulnerabilities, combined with attacker profiles. The social data, building on the work with attacker profiles, also includes research into organisational risk, identifying important roles and relationships within an organisation and with external partners. Additionally, statistical approaches based on widely available figures, such as those published by Eurobarometer, support evaluation of the areas of greatest concern relating to potential users of the system, and appropriate choices of countermeasures.
• Researching emerging threats in the financial sector
This case study has also been used as a basis for monitoring emerging threats which are relevant to financial service providers and their clients. These include the most prominent mainstream security incidents and threats, as well as threats which are more specific to financial services.
Data was gathered from a wide range of organisations and publications which partners in the project regularly use as sources of information: published papers, magazines, newsletters, organisations and professional bodies at both national and global level in the field of information security. In addition, specialist information sources in the fields of financial services and crime were collected.
Subsequently, a session was held to discuss emerging threats. Due to the diversity of interests, experience and priorities within the project, an extensive list of developments was identified. These included commercial aspects, such as the impact of increasingly inexpensive (or even free) processing power. Personal privacy and its relationship to commercial and political interests were also discussed. Technical discussions ranged from very high level questions such as the role of Open Source software following issues such as Heartbleed, to very detailed aspects of recent developments in side channel attacks.
In addition, a survey of security professionals has been undertaken. This will be used to produce a classification of emerging threats and a time-line analysis, highlighting the evolution of threats. This will allow the project to evaluate the types of changes which may be anticipated while planning tool development.
Why Consult Hyperion?
Consult Hyperion has made a number of significant contributions to the project:
Extensive experience of applying our own Structured Risk Analysis process to highly complex systems has enabled us to develop practical, relevant case studies, against which to test the processes and tools being developed within the project.
Application of our own SRA process to the Customer Privacy Protection case study has enabled the project to gain early insights into the most interesting and challenging features of a case study which combines contactless card payments, social inclusion in an ageing population and novel technologies.
About Our Customer
The TREsPASS project is part of the Seventh Framework Programme funded by the EC-DG Connect, with 17 partners from across the EU. The consortium is composed of universities and commercial companies with expertise across the risk landscape. Key areas of interest are cloud infrastructures, telecommunications and financial services. The consortium’s capabilities in technical, social and geographical aspects of security support the development of a more comprehensive approach to security risk management.
Come and meet usSee
at these events:
Keywords: Threat, Risk, Vulnerability, Countermeasure, Attack, Policy, Process, Model, Social engineering, Social inclusion, SME, Information security, Research, Practitioner, Analysis, Visualisation, Card payments, Privacy, Socio-technical.