An Information Security Management for Socio-Technical Analysis of System Security

Concerned about the technical and social aspects at the root causes of security incidents and how they can hide security vulnerabilities we propose a methodology compatible with the Information Security Management life-cycle. Retrospectively, it supports analysts to reason about the socio-technical causes of observed incidents; prospectively, it helps designers account for human factors and remove potential socio-technical vulnerabilities from a system's design. The methodology, called S.CREAM, stems from practices in safety, but because of key differences between the two disciplines migrating concepts, techniques, and tools from safety to security requires a complete re-thinking. S.CREAM is supported by a tool, which we implemented. When available online it will assist security analysts and designers in their tasks. Using S.CREAM, we discuss potential socio-technical issues in the Yubikey's two-factor authentication device.