Assessing ICT Security Risks in Socio-Technical Systems (Dagstuhl Seminar 16461)

This report documents the program and the outcomes of Dagstuhl Seminar 16461 "Assessing ICT Security Risks in Socio-Technical Systems". As we progress from classic mechanical or electrical production systems, over ICT systems, to socio-technical systems, risk assessment becomes increasingly complex and difficult. Risk assessment for traditional engineering systems assumes the systems to be deterministic. In non-deterministic systems, standard procedure is to fix those factors that are not deterministic. These techniques do not scale to ICT systems where many risks are hard to trace due to the immaterial nature of information. Beyond ICT systems, socio-technical systems also contain human actors as integral parts of the system. In such socio-technical systems there may occur unforeseen interactions between the system, the environment, and the human actors, especially insiders. Assessing ICT security risks for socio-technical systems and their economic environment requires methods and tools that integrate relevant socio-technical security metrics. In this seminar we investigated systematic methods and tools to estimate those ICT security risks in socio-technical systems and their economic environment. In particular, we searched for novel security risk assessment methods that integrate different types of socio-technical security metrics.