Resilience is introduced as the new security goal supported with security/safety-related information by data-centric services for predictive risk management in real-time. Secondary use of personal information is of essential importance. The problem is that data-centric services threaten resilience. Although privacy as a state of equilibrium and its enforcement with usable security by identity management aims actually at decreasing users’ own risk, its use by data-centric services for unilateral information flow control threatens privacy and resilience. Users lose control on their identity while at the same time competitiveness of in particular small and medium service providers is endangered due to reliable statements on authentication of derived information. Self-protection, however, depends on opposite security interests. This talk claims that Multilateral Security improves privacy and resilience by a multilateral secondary use of personal security-related information for distributed usage control. This kind of privacy is understood as informational self-determination whereas the key concept is non-linkable delegation of rights on secondary use of personal information.
presented at the workshop "Usable Security and Privacy" an event of "Mittelstand-Digital" of the Federal Ministry for Economic Affairs and Energy (BMWi) and HCI conference "Mensch und Computer 2015" in Stuttgart, Germany http://www.mittelstand-digital.de/DE/Service/suche,did=717526.html
4. Agenda
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 4
I. Resilienceand Secondary Use
• Dependencies threatencontrol
• Control(bytransparency
II. Multilateral(Security
• Usage control
• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy
• From login to control bytransparency
• Loss(ofcontrol
IV. Usable Security
• Multilateral(secondaryuse
• Byzantine agreement
5. I.#Resilience and Secondary Use
Dr.$Sven$Wohlgemuth Resilience$by$Usable$Security 5
Resilience:)Predictive risk management to remain in$or return to an$equilibrium
by IT)support in)real4time)with secondary use of personal)information
Public>private$cooperation:$
Public$traffic road map
(03/19/2011)
Localization at$Disney$Resort$
Tokyo$(08/02/2011)
User$generated content on$
Google$Maps (08/02/2011)
6. Support2by CyberDPhysical Systems
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 6
PAN
Wide(Area(Network
ALLTIP(Network
Cyber2World
CPS(data(platform
Real2World
Sensor(
networks
in
Home(
Building(facility
Vehicle(NW
Policy(decision(support(
based(on(information(
processing
Power(Grid(system,
Environment(monitor,
Agriculture,(etc.
Sensing(&(
Actuation((control)
Service(
control
Transport(System
human(state
Collection(
and(sharing(
of(context(
and(data
N.#Sonehara,# 2011
8. d, d*
Information Usage Model
............
Dr. Sven Wohlgemuth Resilience by Usable Security 8
• Problem: Users lose control on their identity
d
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
d, d*
Secondary usePrimary use
• Dependencies occur at run‐time and threaten information processing
Data providerData provider
Data consumer
/provider
Data consumer Data provider
9. Dependency:2Users2and IT2System
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 9
10
48
42
20
0
10
20
30
40
50
60
Problem1Category1I Problem1Category1II Problem1Category1III Problem1Category1IV
Citations
75%(of identified problems are
usability problems with negative(effect
on(user‘s security
• User(has(to(learn(technical(concept
• SigG(digital(signature(client(Signtrust:(
“Maloperation”(raises(security(incident
• 7(Internet(user(groups(in(Germany
People(with less security expertise
(approx.(70%)(want to delegate
privacy to TTP
• Responsibility:(
selfTprotection(or(privacy(by(a(TTP
D.#Gerd# tom Markotten 2004;#G.#Müller#and S.#Wohlgemuth# 2005;#DIVSI#2012
10. Dependency: Third Party
Dr. Sven Wohlgemuth Resilience by Usable Security 10
Case (a): Passive incident Case (b): Active incident
• Inevitable, not‐modelled dependencies during run‐time
K.W. Hamlen, G. Morrisett, and F.B. Schneider 2006; A. Grusho, N. Grebnev, and E. Timonina 2007; BSI 2015
• For Germany: Indirect attacks on Internet of Things and Cloud Computing
Assumption: Each IT system is secure
d, d*
d
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
Data consumer
/provder
Data provider
/consumer
d, d*
d
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
Data consumer
/provder
Data provider
/consumer
faulty
d, d*
Impossible to TM‐decide on covert dependencies, but statistically
Loss of control by conceptual dependency of
compromised TTP
16. Agenda
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 16
I. Resilienceand Secondary Use
• Dependencies threatencontrol
• Control(bytransparency
II. Multilateral(Security
• Usage control
• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy
• From login to control bytransparency
• Loss(ofcontrol
IV. Usable Security
• Multilateral(secondaryuse
• Byzantine agreement
17. II.2Multilateral2Security
Combining opposite security interests by an(equilibrium setting
• Accountability:(Authentic(information(on(information(processing
• Unobservability:(NonTlinkability to(impede(reTidentification
G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013
Dr.(Sven(Wohlgemuth Resilience by Usable Security 17
Accountability
Unobservability
Anonymity
Pseudonymity
Traceability Personal(
information
Privacy
18. II.2Multilateral2Security
Combining opposite security interests by an(equilibrium setting
• Accountability:(Authentic(information(on(information(processing
• Unobservability:(NonTlinkability to(impede(reTidentification
G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013
Dr.(Sven(Wohlgemuth Resilience by Usable Security 18
Accountability
Unobservability
Usage(control
Control(by(
transparency
Anonymity
Pseudonymity
Traceability
Personal(
information
Personal(
information
Privacy
Privacy
21. Example:2iManager
CeBIT(2003(Scenario:(Buying an(electronic(railway ticket
Current partial(identity Necessary personal
information
Proposed partial(identity
S.#Wohlgemuth,# U.#Jendricke,# D.#Gerd# tom Markotten,# F.#Dorner,# and G.#Müller# 2003
doITTSoftware(Award(2003(of(German(Federal(State(BadenTWürttemberg
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 21
24. PrivacyDEnhanced2Accountability
Transparency
Transparency
Transparency
System 1
DP/DC
System 3
DP/DC
System 2
DP/DC
d, d*
System 4
DP/DC
d, d*
d, d*
System 2
d, d*
System 2
System 3
d, d*
System 2
System 3
System 4
d, d*
System 2
System 3
System 4
System 3
Control
• Hidden(channels:(Information(leakage and modification
• Accountability:(Data(provenance on(information exchange for audit
Impeding nonTauthorized
reTidentification
Unobservability
Misuse(of(d,#d* can(be(detected
Accountability and availability
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 24
26. Agenda
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 26
I. Resilienceand Secondary Use
• Dependencies threatencontrol
• Control(bytransparency
II. Multilateral(Security
• Usage control
• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy
• From login to control bytransparency
• Loss(ofcontrol
IV. Usable Security
• Multilateral(secondaryuse
• Byzantine agreement
28. Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 28
Keyword search
File systems
Groupware Databases
Social networking Wiki
Semantic search
Tagging
Reasoning
Smart personal agents
Natural language search
Mashups
Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Own#figure# based#on#Radar# Networks# &#Nova# Spivack 2007,# E.#Brynjolfsson and# A.#McAfee#2011.
From Login2to Control2by Transparency
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information
processing
(Internet of Things)
Decentralized P2P information
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)
29. Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 29
Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information
processing
(Internet of Things)
Decentralized P2P information
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)
Own#figure# based#on#Radar# Networks# &#Nova# Spivack 2007,# E.#Brynjolfsson and# A.#McAfee#2011.
From Login2to Control2by Transparency
30. Dr.$Sven$Wohlgemuth Resilience$by$Usable$Security 30
Productivity
Amount.of.data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information
processing
(Internet of Things)
Decentralized P2P information
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)
Own$figure$ based$on$Radar$ Networks$ &$Nova$ Spivack 2007,$ E.$Brynjolfsson and$ A.$McAfee$2011.
Accounting
Accountability
One-factor
authentication
Multi-factor
authentication
Authorization
Increasing$entropy$
of$auth.information
From Login)to Control)by Transparency
31. Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 31
Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information
processing
(Internet of Things)
Decentralized P2P information
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)
Own#figure# based#on#Radar# Networks# &#Nova# Spivack 2007,# E.#Brynjolfsson and# A.#McAfee#2011.
Accounting
Accountability
One-factor
authentication
Multi-factor
authentication
Authorization
Increasing(entropy(
of(auth.information
From Login2to Control2by Transparency
33. Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 33
W.#Wahlster &#G.#Müller.#Placing# Humand in#the#Feedback#Loop# of#Social# Infrastructures;#
NII#Strategies# on#CyberDPhysical# Systems.#2013
DataDCentric Service
Data(provide
DataTcentric
service
d
Data(consumer
d,#d*
Improving(attractivity
Increasing(market(share
LockTin
Network
Economies(of(scale
Müller,# Eymann,# Kreutzer,# 2003
Who(am(I?
You are a(dog and your
friend sitting close to
you is a(B/W(dog.
Loss(of control by asymmetric distribution of information
Accountability
Unobservability
Usage2control
Control2by2
transparency
Anonymity
Pseudonymity
Traceability Personal3
information
Privacy
35. Agenda
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 35
I. Resilienceand Secondary Use
• Dependencies threatencontrol
• Control(bytransparency
II. Multilateral(Security
• Usage control
• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy
• From login to control bytransparency
• Loss(ofcontrol
IV. Usable Security
• Multilateral(secondaryuse
• Byzantine Agreement
36. IV.$Usable Security
From loss of control
To informational self-determination:0Byzantine Agreement0on0secondary use
Data$provider/
consumer
Data$consumer/
provider
Data$consumer/
consumer
d*
d*
d*
Dr.-Sven-Wohlgemuth Resilience-by-Usable-Security 36
Data$provider
Data,centric
service
d
Data$consumer
d,#d*
38. Consensus:2SelfDOrganization
• Consensus(on(state transitions within community of distributed,(vulnerable(users
Data(consumer/
provider
Data(consumer/
provider
Data(consumer/
provider
d* … d*
d*
• Users(change(role(during(runTtime((“miner“(checks transactions and gets reward )
S.#Nakamoto 2009
• Provenance by irreversible,(decentralized database with eCoin system
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 38
39. Decentralized Usage Control
• Secondary use of symmetric distribution of personal(security information
PrivacyTEnhanced(
Authorization
… … …
PrivacyTEnhanced
Accountability
PrivacyTEnhanced
Accounting
A A A
• Trust(anchor:(Registered,(nonTlinkableeID (PrivacyTEnhanced(Authentication)
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 39
• Acceptable authentic information decreases individual(risk on(loss of control
40. • UserTcontrol on(identity is threatened by use of privacyTenhanced security
• Unilateral(use leads to loss on(control (nonTusable security)
• Multilateral(control(by(secondary(use(of(personal(security(information((reTuse)
• Decentralized(usage(control(supports(usable(security(by(decreasing(individual(risk
V.2Conclusion
Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 40
Usable(security(is(informational(self+determination(and(supports(resilience
Accountability
Unobservability
Decentralized4
usage4control
Control4by4
transparency
Anonymity
Pseudonymity
Traceability
Personal3
information
Personal3
information
Privacy
Privacy