ProSec – Proven Security for systems with human interaction

Name of the participant: Julia Eisentraut

Description of the IT research project: The aim of the project ProSec (Proven Security) is to make the latest research results from the formal analysis of systems usable in the assessment of (data) security. The innovation of this approach is that, for the first time, not only hardware and software components are examined with mathematical precision, but also the actions of the people who operate in the systems – and usually make the most serious mistakes for security.

The motivation of the project is that attacks on IT systems are part of everyday life nowadays. For systems that are security-critical or contain sensitive data, reliable analyses are therefore needed to decide how likely an attack on that very system is to be successful, how to detect an attack and how best to react to a successful attack. Such a formal analysis is not only necessary for vehicles, aircrafts, power plants and other components of critical infrastructure, but also for medical practices, law firms, government agencies and other service providers that manage sensitive data.

In the ProSec project, a process is therefore to be developed for the implementation of such a formal analysis, which makes it possible to combine information about the technical side with the knowledge from attacks that have already happened and the typical behaviour of people in the system to form a human-readable meta-model. This model then serves as the basis for detecting attacks and for making prioritized recommendations for action as soon as an attack occurs. A user study that systematically examines the comprehensibility of attack trees for non-computer scientists, together with the other results, then provides sufficient information to create design guidelines for such a security analysis.

Software Campus partner: TU Munich, DATEV eG

Implementation period: 01.01.20 – 30.06.21