Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play Security Policy

Development Exercise.

Nicola Martinez, SUNY Empire State College

Wednesday, October 24th 2007

Abstract

Risk analysis and security policy

development are essential components of an educated approach to security.

The author will discuss an online security role play scenario and policy development exercise designed to include Schneier’s five step risk assessment methodology, while developing higher level cognitive, consensus building, communication, and decision-making skills.

The Course:

The course is a sociological and philosophical exploration of the questions of privacy, security and freedom in the 21st Century in the context of both the theory and practical, policy-oriented aspects of these social concerns.

Privacy, Security, Freedom: Social Concerns for the 21st Century.

Course Author: Nicola Martinez

Course Assignments

(1) lead 4 discussion topics with a 250 word commentary; (2) participate in a pro/con debate on privacy in relation to the Patriot Act

using case studies and recent "real" events to support arguments. This assignment requires the research/review/analysis/evaluation of six articles;

(3) Join a team for a role play scenario based learning activity. This assignment includes deciding on the scenario (what happened, how, what are the implications), participating in a group discussion, researching and reviewing 2 articles/websites, and developing a 500 word security policy;

(4) Design a research project using one or more of the following methods: data collection, evaluation of evidence, and employment of interpretive analysis using resources on the World Wide Web, examination of primary text materials such as the Patriot Act and the Homeland Security Act, and observation within their communities. The research project includes a formal research proposal and an 10-15 resource annotated bibliography.

The Role Play Scenario, Part 1

Choose one of the following scenarios:

1. Imagine that you are all board members of a school district having to establish a security policy after an incident in the school.

2. You are the computer security team for a government organization housing highly sensitive information. An unknown hacker has accessed your files and leaked confidential information to the public. Concerned that insider information may have given the hacker easier access, you must develop a tighter internal security policy.

The Role Play Scenario, Part 2

1. First, decide on the scenario: what happened, how, what are the implications. Start an initial group discussion on the scenario. Each group member must research and review 2 articles/websites that might be relevant to the case, and submit an evaluation/review of the article to the group.

2. Then, develop a 500 word security policy after weighing the rights of the individuals against the security of the group.

3. As you develop your policy, follow the five step process proposed by Schneier in Beyond Fear (Chapter 16, pp 257-258). Be sure to consider the four "environmental constraints on behavior" (pp264-265). In addition, consider Schneier's three final rules (pp. 279-280).

4. In addition, the group must reference one or more sections of the Homeland Security Act in support of the proposed policy.

Schneier’s Five Steps*

Step 1: What assets are you trying to protect?

Step2: What are the risks against these assets?

Step 3: How well does the security solution mitigate the risks?

Step 4: What other risks does the security solution cause?

Step 5: What trade-offs does the security solution require?

*Bruce Schneier. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. New York: Copernicus Books, 2003.

Four Environmental Constraints On Behavior *

1. Law2. Market forces3. Technology4. Societal norms

*Lessig, Schneier

Schneier’s Three final rules

1. Risk Demystification2. Secrecy Demystification3. Agenda Demystification

Sample Group 1 Scenario

The Response:

An EMERGENCY Board Meeting was called on Friday, March 18, 2005 at 7:30 pm in order to discuss implementing a more solid weapons policy which is presently in effect, and also to ensure the safety of all students, faculty, and staff going forward.

The Scenario:

On Wednesday, March 16th a junior at Central Valley High School was found to have a handgun on campus. He showed it to a few of his friends and threatened one of his teachers who gave him detention for cutting class. One of his friends, another student, and the teacher reported the incident to the school principle.

Sample Group 1 Scenario School buses are parked from time to time away from the school bus yard for overnight

accommodation near the driver’s home. On one such bus, an incendiary device was placed near the gas tank, away from the driver’s view during the routine inspection prior to starting the vehicle. Furthermore, access to the bus’ interior was gained, and another such device placed in a tear deliberately made in one of the seats, near the middle of the bus.

Both exploded, causing fire, smoke, and minor injuries to all but three students, 2 of whom were sitting in the seat where the device was placed, and one in the seat across the aisle, who was leaning over to talk to those students at the time of the incident. Those students received serious, though fortunately not life-threatening, injuries.

Sample Group 2 Scenario

Thousands of people around the world have access to the Watch Lists, classified as Sensitive Security Information (SSI), including airline ticketing agents.

There is an ongoing investigation in regards to exactly how the lists were leaked. Our job is to design a computer security policy that will minimize the possibility of this happening again in the future.

We are on the computer security team for the Transportation Security Administration (TSA). The TSA maintains Watch Lists in two specific categories, the no fly list and the selectee list

The Watch Lists, with over 80,000 names, were leaked to the press unleashing a public relations nightmare for our agency.

Sample Group 2 Scenario

Introduction: An unknown hacker has accessed our system files and leaked confidential information to the public. America Health is concerned that insider information may have given the hacker easier access, and in response have implemented the following increase to our current security policy. Due to this recent security incident American Health has implemented the following changes to our security policy.

Objective: The objective of this security policy is to protect and maintain the confidentiality, integrity, availability, and authentication of the information maintained and managed by American Health. It is also to outline the acceptable use of computer equipment at American Health. The included rules are in place to protect the employee and American Health. Inappropriate use exposes American Health to risks including virus attacks, compromise of network systems and services, and legal issues.

Scope: This policy applies to employees, contractors, consultants, temporary workers, and all other workers at American Health.

Group Management Guidelines

Group Experience and Peer Evaluation

Evaluation Rubric

Comments from Students What I think made this class outstanding was the level of participation, only via

participation are people able to express their thoughts and opinions and enhance others' education. We as a class probably come from different socio-economic backgrounds and our ideas are diverse, this diversity is what I believe brought about a great learning environment.

I would like to say how much I have enjoyed participating in the group/student led discussions and the group project.

I think the fact that you allowed us to choose the group that we wanted to be a part of made the involvement as great as it did. 

I thought that the groups projects really helped us to share a great deal of information and both groups put together some great presentations.

Believe it or not my favorite part of this class was the group reports/projects. While it was not the easiest task in the world trying to get all of us on the same page; the end result was well worth the effort. Other than enjoying the whole “group aspect” of it, I also found the task of making our own school weapons policy very intriguing. Also, a series of unfortunate events also synchronized with our project as well (shootings/stabbings in school). Those events, I believe played an important part in some of our decisions about what to include, and not include in our policy.

The lessons we have learned in this course will probably stay with us for the rest of our lives. We will re-evaluate political policies and security measures, be more aware of privacy issues, and cherish more deeply the freedoms that remain available to us.

Conclusion

Designing successful role play scenarios and online group

activities presents a particular set of challenges. In addition, devising successful risk analysis and security policy development exercises requires a thoughtful balance of theory; risk assessment methodologies; and policy making procedures.

I hope to have demonstrated an activity providing principles and approaches of value to educators; security professionals; and policy makers interested in either information related to security studies; strategies for successful role play design and group activity facilitation, or both.

Nicola Martinez

Contact Information

• Visit our web site at:http://www.esc.edu/cdl

Nicola MartinezDirector of Curriculum and Instructional Design

Center for Distance Learning111 West Avenue, Saratoga Springs, NY 12866518-587-2100, ext. 2276

Nicola.Martinez@esc.edu