Measuring the Security Posture of Large Financial Enterprises: An EAGER Proposal to NSF CCF

衡量大型金融企业的安全状况：向 NSF CCF 提出的迫切建议

• 批准号: 0950373
• 负责人: Salvatore Stolfo
• 金额: $ 30万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-01 至 2012-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0950373&HistoricalAwards=false
• 关键词: Measuring; Security; Posture; Large; Financial

To develop computer security as a science and engineering discipline, metrics need to be defined to evaluate the safety and security of alternative system designs. Security policies are often specified by large organizations but there are no direct means to evaluate how well these policies are followed by human users. The proposed project explores fundamental means of measuring the security posture of large enterprises. Risk management and risk mitigation requires measurement to assess alternative outcomes in any decision process. The project is intended to devise metrics and measurement methods, and test and evaluate these in a real institution, to evaluate how human users behave in a security context. Financial institutions in particular require significant controls over the handling of confidential financial information and employees must adhere to these policies to protect assets, which are subject to continual adversarial attack by thieves and fraudsters. Hence, financial institutions are the primary focus of the measurement work. The technical means of measuring user actions that may violate security policy is performed in a non-intrusive manner. The measurement system uses specially crafted decoy documents and email messages that signal when they have been opened or copied by a user in violation of policy. The project will develop collaborations with financial experts to devise risk models associated with users of information technology within large enterprises. This line of work extends traditional research in computer security by opening up a new area focused on the human aspect of security.

为了将计算机安全发展为一门科学和工程学科，需要定义度量标准来评估替代系统设计的安全性和可靠性。安全策略通常由大型组织指定，但没有直接的方法来评估人类用户遵守这些策略的情况。拟议的项目探讨衡量大企业安全状况的基本手段。风险管理和风险缓解需要衡量，以评估任何决策过程中的替代结果。该项目旨在设计指标和测量方法，并在真实的机构中测试和评估这些指标和方法，以评估人类用户在安全环境中的行为。金融机构尤其需要对机密财务信息的处理进行严格控制，员工必须遵守这些政策以保护资产，这些资产可能会受到小偷和欺诈者的持续攻击。因此，金融机构是衡量工作的主要重点。测量可能违反安全策略的用户操作的技术手段以非侵入式方式执行。测量系统使用特制的诱饵文档和电子邮件，当用户违反策略打开或复制它们时发出信号。该项目将与金融专家合作，设计与大型企业内信息技术用户有关的风险模型。这项工作扩展了计算机安全的传统研究，开辟了一个新的领域，专注于安全的人的方面。