Speakers, title, and abstracts:
Daniele Canavese
Title: Zero-Trust Explainable Autonomous Networks
Abstract: An autonomous network is a computer network that operates with minimal or no human intervention. It can self-monitor, automatically protect, and reconfigure to withstand abnormal events such as cyberattacks or accidental failures. For instance, if a firewall is compromised, the autonomous network can detect the attack and react autonomously by isolating the compromised security control, reconfiguring another one, and redirecting the traffic to the new firewall.
This presentation will describe an autonomous network approach based on three main pillars:
- Intents: High-level non-functional requirements used to declare a network’s behavior, thus simplifying its management
- Explainable artificial intelligence: enabling intelligent actions and reactions that are human-interpretable
- Zero-trust paradigm: a security principle stating that “no one should be trusted”, which can considerably harden a network’s security
Xhesika Ramaj:
Title: Training and Security Awareness Under the Lens of Practitioners: A DevSecOps Perspective Towards Risk Management
Abstract: Critical infrastructures (CI) extend across various sectors within the economy, relying on a combination of software and hardware technologies to manage the operations of the systems, services, and assets. Risk Management plays a pivotal role in enduring viability of organizations in the long run, identifying potential threats and vulnerabilities. The realm of DevSecOps in CI undergoes continuous evolution, demanding organizations to consistently adapt their strategies in addressing emerging risks. The goal of this exploratory study is to understand how training and security awareness influence the adoption of DevSecOps practices and, consequently, their role in enhancing processes related to risk management in the context of CI. The study examines the perspectives of DevOps professionals, developers, security experts, and other experts working in CI using a survey. The results reveal a gap in regular training and awareness sessions, which has triggered practitioners to follow a proactive approach of acquiring knowledge and skills independently. The findings also highlight fostering a positive security culture by exhibiting risk-averse behavior, consequently reducing the occurrence of incidents, and promoting adherence to policies. The study offers valuable insights into DevSecOps in risk management, potentially encouraging the adoption of DevSecOps and guiding practitioners interested in harnessing its inherent benefits within the context of CI. Furthermore, our findings pave the way for future research endeavors on assessing the impact of training and awareness programs to shape and improve the security culture within CIs.
Winnie Bahati
Title: Usefulness of data flow diagrams and large language models for security threat validation
Abstract: The arrival of recent cybersecurity standards has raised the bar for security assessments in organizations, but existing techniques don’t always scale well. Threat analysis and risk assessment are used to identify security threats for new or refactored systems. Still, there is a lack of definition-of-done, so identified threats have to be validated which slows down the analysis. Existing literature has focused on the overall performance of threat analysis, but no previous work has investigated how deep must the analysts dig into the material before they can effectively validate the identified security threats. We propose a controlled experiment with practitioners to investigate whether “some” analysis material (like LLM-generated advice) is better than none and whether more material (the system’s data flow diagram and LLM-generated advice) is better than having “some” material. In addition, we present key findings from running a pilot with 41 MSc students, which are used to improve the study design. Finally, we also provide an initial replication package, including experimental material and data analysis scripts and a plan to extend it to include new materials based on the final data collection campaign with practitioners (e.g., pre-screening questions).
The link to the virtual workshop is:
https://vu-live.zoom.us/j/95086678228?pwd=TnLBBHjJElzSii0l4BpHP9IiyEUDey.1