Archetypal behavior in computer security

Journal of Systems and Software

Volumn 80, Issue 10, 2007, Pages 1594-1606

  Rosenfeld, Shalom N ^a   Rus, Ioana ^b   Cukier, Michel ^c  

^a UNIVERSITY OF MARYLAND   (United States)

^b Fraunhofer Center Maryland   (United States)

^c UNIVERSITY OF MARYLAND   (United States)

Author keywords

Attacks and countermeasures; Escalation; Limits to Growth; Organization computer security; System archetypes; System dynamics; System dynamics modeling and simulation

Indexed keywords

COMPUTER SIMULATION; DECISION MAKING; RISK ASSESSMENT; SYSTEMS ANALYSIS;

ATTACKER EFFORT; ORGANIZATION COMPUTER SECURITY; SYSTEM ARCHETYPES; SYSTEMIC APPROACH;

SECURITY OF DATA;

EID: 34547798595     PISSN: 01641212     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.jss.2007.01.046     Document Type: Article

References (43)

1. Bajcsy R., et al. Cyber defense technology networking and evaluation. Communications of the ACM 47 3 (2004) 58-61
2. Bergemann, D., et al., 2004. Towards an economic analysis of trusted systems. In: Presented at Third Annual Workshop on Economics and Information Security - WEIS04, Minneapolis.
3. Bergemann, D., et al., 2005. Flexibility as an instrument in DRM systems. In: Presented at Fourth Annual Workshop on Economics and Information Security - WEIS05, Cambridge, Massachusetts.
4. Bodin L., et al. Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 28 2 (2005) 79-83
5. Braun, W., 2002. The Systems Archetypes. .
6. Campbell K., et al. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security 11 (2003) 431-439
7. CERT (United States Computer Emergency Readiness Team), 2006. Technical Cyber Security Alerts. .
8. Cohen, F., et al., 1999. Simulating CyberAttacks, Defenses, and Consequences. .
9. Dacier, M., et al., 2004. Honeypots: practical means to validate malicious fault assumptions. In: Proceedings of the 10th IEEE Pacific Rim International Symposium on Dependable Computing - PRDC04. IEEE, Papeete, Tahiti, French Polynesia, pp. 383-388.
10. Feigenbaum J., et al. Subjective-cost policy routing. Proceedings of the Workshop on Internet and Network Economics. Lecture Notes on Computer Science vol. 3828 (2005), Springer, Berlin 174-183
11. Forrester J. Industrial Dynamics (1961), MIT Press and Wiley & Sons, Cambridge, Massachusetts
12. Gibson, S., 2002. The Strange Tale of the Denial of Service Attacks Against GRC.com. Gibson ResearchCorporation. .
13. Gong, F., et al., 2001. Characterizing intrusion tolerant systems using a state transition model. In: Proceedings of DARPA Information Survivability Conference and Exposition II-DISCEX'01.
14. Gordon L.A., and Loeb M.P. The economics of information security investment. ACM Transactions on Information and System Security 5 4 (2002) 438-457
15. Gordon L.A., and Loeb M.P. Managing Cybersecurity Resources: A Financial Perspective (2005), McGraw-Hill, New York
16. Gordon L.A., et al. Tenth Annual CSI/FBI Computer Crime and Security Survey (2005), Computer Security Institute, San Diego, CA.
17. Imagine That, Inc., 1998. Extend. (Version 4.1), [CD-ROM]. San Jose, CA.
18. Irvine C.E., et al. CyberCIEGE: gaming for information assurance. IEEE Security and Privacy Magazine 3 3 (2005) 61-64
19. ISO/IEC, 1999. International Standards (IS) 15408-1:1999, 15408-2:1999, and 15408-3:1999, "Common Criteria for Information Technology Security Evaluation": Part 1: "Introduction and General Model", Part 2: "Security Functional Requirements", and Part 3: "Security Assurance Requirements". Version 2.1.
20. ISO/IEC 17799, 2005. Information technology - Security techniques - Code of practice for information security management.
21. Jha, W., Wing, J.M., 2001. Survivability analysis of networked systems. In: Proceedings of the 23rd International Conference on Software Engineering - ICSE01, pp. 307-317.
22. Jonsson E., and Olovsson T. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering 23 4 (1997) 235-245
23. Krahl, D., 2000. The extend simulation environment. In: Proceedings of the 2000 Winter Simulation Conference, pp. 280-289.
24. Landoll D.J. The Security Risk Assessment Handbook (2005), Auerbach Publications
25. Landwehr C. Formal models for computer security. Computer Surveys 13 3 (1981)
26. Larose, R., Eastin, M.S., 2003. A social cognitive explanation of Internet uses and gratifications: toward a new theory of media attendance. In: Presented at International Communication Association, Communication and Technology Division, San Diego.
27. Larose, R., Rifon, N., 2003. Your privacy is assured - of being invaded: Web sites with and without privacy seals. In: Presented at IADIS International Conference, Lisbon.
28. Lowry, J., 2001. An initial foray into understanding adversary planning and courses of action. In: Proceedings DARPA Information Survivability Conference and Exposition II - DISCEX01, pp. 123-133.
29. Marais, K., Leveson, N., 2003. Archetypes for organizational safety. In: Presented at IRIA03. .
30. Naval Postgraduate School and Rivermind, Inc., 2006. Cyberciege (Version 1.5b). .
31. Ortalo R., et al. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25 6 (1999) 633-650
32. Panjwani, S., et al., 2005. An experimental evaluation to determine if port scans are precursors to an attack. In: 2005 International Conference on Dependable Systems and Networks - DSN05, Yokohama, Japan, pp. 602-611.
33. Pouget, F., Dacier, M., 2004. Honeypot-based forensics. In: AusCERT Information Technology Security Conference 2004 - AusCERT04, Ashmore, Australia.
34. Pouget, F., et al., 2004. Understanding threats: a prerequisite to enhance survivability of computing systems. In: International Infrastructure Survivability Workshop 2004 - IISW04, in Conjunction with 25th International Real-Time Systems Symposium - RTSS04, Lisbon.
35. Pouget, F., et al., 2005. Leurre.com: on the advantages of deploying a large scale distributed honeypot platform. In: Proceedings E-Crime and Computer Conference 2005 - ECCE05, Monaco. .
36. Rosenfeld, S.N., 2006. System Dynamics Modeling and Simulation of Enterprise Computer Security. Master's thesis, University of Maryland at College Park. .
37. Rosenfeld, S.N., Rus., I., Cukier, M., 2006a. Modeling and simulation of the escalation archetype in computer security. In: Proceedings of 2006 Symposium on Simulation Software Security - SSSS06, Part of the 2006 Spring Simulation Multiconference (SpringSim06), Huntsville, Alabama. .
38. Rosenfeld, S.N., Rus., I., Cukier, M., 2006b. Modeling the symptomatic fixes archetype in computer security. In: Proceedings of the 30th Annual International Computer Software and Applications Conference (COMPSAC'06), Chicago, pp. 178-188.
39. Senge P. The Fifth Discipline: The Art and Practice of the Learning Organization (1990), Currency-Doubleday, New York
40. Senge P., Kleiner A., et al. The Fifth Discipline Fieldbook (1994), Currency-Doubleday, New York
41. Stevens, F., et al., 2004. Model-based validation of an intrusion-tolerant information system. In: Proceedings of the 23rd Symposium on Reliable Distributed Systems - SRDS04, Florianópolis, Brazil, pp. 184-194.
42. US Department of Defense, 1985. Department of Defense Trusted Computer System Evaluation Criteria ("Orange Book"), DOD 5200.28-STD, Library No. S225,7ll. . CCIMB-99-031, CCIMB-99-032, and CCIMB-99-033. .
43. Wolstenholme E. Toward the definition and use of a core set of archetypal structures in system dynamics. System Dynamics Review 19 1 (2003) 7-26