The Importance of Modeling – SENDSim, Part 2

By Greg Amis & Carl Hunt

From the beginnings of the SENDS Project and well before, you’ve heard it time and again: cybersecurity experts face a daunting mix of ever-changing threats and a technological landscape that grows in complexity every day. Preparing a robust plan for network defense requires not just a detailed understanding of information technology but a careful appreciation of how the actions and inactions of ordinary users can enhance or compromise security. In fact, people and how we represent them in planning and design are fundamental inputs of the Design process, as discussed in the 30 September blog, “Design and the Science of Cyberspace.”

Experience has shown that security plans may on the surface seem robust but can be circumvented by users in their quest to accomplish work tasks. Other plans may meet security and information assurance goals but inadvertently prevent legitimate operations from running effectively. Further, even the best plans and designs cannot be executed unless security experts can motivate institutional leaders and decision makers to appreciate the real threats against cybersecurity in an environment of increasingly tight budgets and conflicting priorities.

Fortunately, these are all issues that can be examined in considerable detail in an experimental environment that does not cause disruption in current plans and workforce policies. This experimentation, based on sound scientific principles within a controlled environment, falls within a technique known as agent-based modeling and simulation.

As we first introduced in the 13 September blog entry, “The Importance of Modeling – SENDSim, Part 1,” a major component of the SENDS Pilot Project is a modeling and simulation task that helps us better understand how people and information technology interact and the interdependencies that arise with the convergence of these two sources of vulnerability. We call the product output of this task SENDSim.

We are writing today about the technical nature of this task. As we get further along in the work, we will be able to describe the individual and organizational social nature of this critical component of SENDS.

In brief, SENDSim is being designed to help the cybersecurity expert face cyberspace security challenges by providing a platform for understanding threats, evaluating solutions, and communicating the benefits of a principled security plan to non-technical decision makers. Users can specify network designs, assumptions, and policy parameters. SENDSim then creates a simulated network, a simulated workforce using that network, and a simulated malware threat. The illustration of an early SENDSim screenshot below helps to visualize the components and interactions of SENDSim agent-actors (click to enlarge).

Incorporating modeling techniques from epidemiology and behavioral economics, SENDSim captures both the behaviors of the malware and the behaviors of the network users. These behaviors (based on intents and attitudes modeled on subject matter expert insights) include users’ appreciation of cyber threats, their level of technical sophistication, and their actions, such as choosing passwords, enabling and disabling features, and telling co-workers about threats and solutions.

Detailed visualizations demonstrate how malware infiltrates a network, spreads, and inflicts damage. In addition to standard cybersecurity metrics focused on technology, SENDSim adds metrics related to the workforce, such as productivity, as well as metrics related to cost.

By modeling both the behavior of malware and the behavior of non-malicious users, cybersecurity operators and experts will have a broader view of how their designs and policies impact both their security goals and the larger productivity and efficacy goals of the organization.

Cybersecurity experts are often charged with assessing the vulnerabilities of a network and recommending a course of action. SENDSim can also assist these experts make cyber threats more tangible for decision makers, helping them visualize possible threat scenarios and quantify those scenarios in terms of financial cost as well as in terms of information assurance and military readiness. Decision makers can then draw more informed conclusions that take the broader interests of the organization into account.

We are excited at the prospect SENDSim and potential follow-on modeling and simulation efforts might provide to both the near-term requirements of government and other users, as well as the likely ability to improve design over the lifespan of networks. The design functions required to implement any outputs from our Science of Cyberspace work will benefit greatly from these kinds of modeling and simulation efforts, helping us to test hypotheses and evidence gathered and generated in this endeavor.

Stay tuned for more about SENDSim and the modeling and simulation support to SENDS!