With the ever growing and unprecedented popularity of social networking sites such as Facebook, Google+, MySpace, Twitter etc. in the personal sphere, and others such as LinkedIn in business circles, undesirable security and privacy risk issues have emerged as a result of this extraordinary rapid ascent. The front ranking problems are mainly lack of trustworthiness; namely, those of breach of security and privacy. We employ a quantitative approach to assess security and privacy risks for social networks already under pressure by users and policymakers for breaches in both quality and sustainability, and will also demonstrate how to manage risk by using a cost-optimal game-theoretical solution. A number of real people (not simulated) were interviewed and the results are discussed. Ramifications of this quantitative risk assessment of privacy and security breaches in social networks will be summarized.
APPLICATION OF THE PROPOSED QUANTITATIVE RISK ASSESSMENT METHOD TO MEASURE AND MANAGE PRIVACY/SECURITY RISK IN SOCIAL NETWORKS
Fast Company reported that a Ph.D. candidate at Berkeley made headlines exposing a potentially devastating hole in the framework of Facebook's third-party application programming interface (API) which allows for easy theft of private information. This candidate and her co-researchers found that third-party platform applications for Facebook gave developers access to far more information (addresses, pictures, interests, etc.) than needed to run the app. A major reason social network security and privacy lapses exist simply results from the astronomical amounts of information the sites process each and every day. These flows of data make it much easier to exploit a single flaw in the system. Features that invite user participation such as messages, invitations, photos, open platform applications etc. are often the avenues used to gain access to private information.
The core of the matter, however, is to come up with a set of effective risk quantification and management techniques so as to help alleviate problems arising from lack of security and privacy due to the mushrooming social networks as well their connect services1. A well-known management proverb says, “what is measured is managed” and another says, “Yes, you can quantify risk” balanced against reasons such as the difficulty in collecting trustworthy data regarding security and privacy breaches2. The Security Meter technique provides a quantitative alternative to the currently used purely qualitative models, a method which has been theoretically validated3,4.The major privacy/security related vulnerabilities in typical social networks vary from i) Correspondence, ii) Internet Connectivity, iii) Personal Identity, iv) Health, v) Career, vi) Legal, vii) Personal Software to viii) Password. Here are some threats listed respectively from the above listed vulnerabilities regarding social networks. That is:
for i) Correspondence: 1) VoIP Calls, 2) Phishing, 3) E-Mail Hijacking, 4) Internet Chat, 5) Cell-Phone Software, 6) Blue Tooth Devices, 7) Electronic Commerce;
for ii) Internet Connectivity: 1) Cookies, 2) HTTP, 3) Browsers, 4) Search Engines, 5) Spam;
for iii) Personal Identity: 1) ISP, 2) Social Sites, 3) Social Engineering;
for iv) Health: 1) Prescription Tracking, 2) Medical Office Website Records;
for v) Career related: 1) Job applications (Sites and Applications), 2) HR Department records, 3) Benefits Records;
for vi) Legal related: 1) Personal Documents, 2) Lawyer related files;
for vii) Personal Software (Facebook style): 1) Index.dat, 2) Software Purchased, 3) Freeware-Shareware
and for viii) Password Theft: 1) Keystroke Listening, 2) Monitor Glow, 3) Guess Online, 4) Encrypted Password, 5) Dictionary Attack, 6) Easily Guessed Passwords, 7) Insider Intrusion, 8) Outsider Intrusion, 9) Picture Taking, 10) Shoulder Surfing, 11) Social Engineering, and 12) Using Bugs (Microphones).
Note that a related tree diagram illustrates these parameters in an easy-to-follow compact portfolio in Figure 1.
Figure 1. An Example of Privacy/Security Risk Meter Tree Diagram.
Table 1. The sample questions (XML format) for a selected Vulnerability -Threat –CM branch in Figure 1
Figure 2. Example of a Game-Theoretic Cost Optimal Risk Assessment and Management Analysis from Figure 1 and Table 1 for the Median interviewee.
CLARIFICATIONS FOR APPLICATIONS IN FIGURE 1 AND 2 ON PRIVACY AND SECURITY RISK SURVEY
Seven graduate students were surveyed at METU, Ankara in April 2011. Their risk scores ranked were as follows with their initals: G(.23), S(.24), F(.27), T(.35), S(.52), F(.56), K(.57), resulting in an arithmetic average of 40% risk. Since no such average real person exists as a representative of the sample, the median with 35% was taken as a measure of central tendency. The risk analysis that belong to the median score is tabulated in Figure 2, including cost-optimal risk management analyses in the same screenshot.
Now, to mitigate Median survey taker; that is, T’s privacy/security risk from 34.5% down to 24%, i) increase the CM capacity for the threat of “E-Mail hijacking” in the vulnerability of “Correspondence” from 85% to 100% for an improvement of 15%, ii) increase the CM capacity for the threat of “E-Commerce” in the vulnerability of “Correspondence” from 69.5% to 100% for an improvement of 30.50% iii) increase the CM capacity for the threat of “Easily guessed passwords” in the vulnerability of “Password” from 50% to 64.36% for an improvement of 14.36 A total cost of $841.76 is allocated. We can recursively continue to mitigate the present risk of 24% (down from an initial 35%) to lower target values such as 10% if we have sufficient budget remaining for further improvement. This is to say that Median(T) will implement the the above clarified countermeasures by purchasing the services needed to mitigate her privacy/security risk from 35% to a low of 24%. She will do that by simply referring to the CM questions as cited, and converting the negative (No) responses to positives (Yes) by taking countermeasures. While doing so, she will optimize her costs by following the optimal allocation plan suggested by the Security Meter’s game-theoretical solutions as explained in Figure 2.
DISCUSSIONS AND CONCLUSIONS
The Security Meter (SM), which possesses an avenue for eliciting data from expert opinion if numerical data are not available, therefore shifts from the current subjective and crude risk evaluation mechanisms to a verifiable and quantitative methodology of risk assessment and management5. This may positively result in an optimized expenditure of security/privacy remediation dollars. This way, much contested social networks can be risk-quantified by providing the right set of input data, categorical and numerical, as demonstrated in the above sections. Even more importantly, what to do next, and in what priority order by minimizing cost to mitigate the risk to a tolerable level are very significant points to consider.
The surveyed data acquired from a sample of 7 college students at METU, Ankara indicated a 40% of risk that on the average, almost one of the two users are adversely affected by privacy/security breaches of some sort whether they be social or health or any privacy/security related network6. This is what this research plans to achieve by further mitigating the risk from an undesirable percentage to a tolerable lower level concurrently minimizing the cost of optimized countermeasures employing the game-theory essentials.
The efficacy of this realistic metric-seeking endeavor will be enhanced as many more users go on line and make their opinions heard through the SM tool, probably placed in a Cloud, such as in a customer service satisfaction survey. This auditing type of activity will help not only the social networks’ innovators and high ranking managers to improve their services to alleviate breach of privacy and security, but also enhance the mainstream public-user majority’s confidence and trust.
Mehmet Sahinoglu is from Auburn University at Montgomery, Alabama and Director/Professor at the Informatics Institute. Aysen Dener Akkaya is from the Middle East Technical University in Ankara, Turkey and is Professor at the Department of Statistics.