Threat Me Right: A Human HARMS Threat Model for Technical Systems

• URL: http://arxiv.org/abs/2502.07116v1
• Date: Mon, 10 Feb 2025 23:13:41 GMT
• Title: Threat Me Right: A Human HARMS Threat Model for Technical Systems
• Authors: Kieron Ivy Turk, Anna Talas, Alice Hutchings,
• Abstract summary: We discuss traditional threat modelling methods and their shortcomings. We propose a new threat modelling framework (HARMS) to identify non-technical and human factors harms.
• Score: 4.096453902709292
• License:
• Abstract: Threat modelling is the process of identifying potential vulnerabilities in a system and prioritising them. Existing threat modelling tools focus primarily on technical systems and are not as well suited to interpersonal threats. In this paper, we discuss traditional threat modelling methods and their shortcomings, and propose a new threat modelling framework (HARMS) to identify non-technical and human factors harms. We also cover a case study of applying HARMS when it comes to IoT devices such as smart speakers with virtual assistants.

Related papers

• Safety at Scale: A Comprehensive Survey of Large Model Safety [299.801463557549]
  We present a comprehensive taxonomy of safety threats to large models, including adversarial attacks, data poisoning, backdoor attacks, jailbreak and prompt injection attacks, energy-latency attacks, data and model extraction attacks, and emerging agent-specific threats. We identify and discuss the open challenges in large model safety, emphasizing the need for comprehensive safety evaluations, scalable and effective defense mechanisms, and sustainable data practices.
  arXiv  Detail & Related papers  (2025-02-02T05:14:22Z)
• Evidence-Based Threat Modeling for ICS [0.0]
  ICS environments are vital to the operation of critical infrastructure such as power grids, water treatment facilities, and manufacturing plants. We propose a novel evidence-based methodology to systematically identify threats based on existing CVE entries of components. We have implemented our methodology as a ready-to-use tool and have applied it to a typical SCADA system to demonstrate that our methodology is practical and applicable in real-world settings.
  arXiv  Detail & Related papers  (2024-11-29T15:05:00Z)
• AsIf: Asset Interface Analysis of Industrial Automation Devices [1.3216177247621483]
  Industrial control systems are increasingly adopting IT solutions, including communication standards and protocols. As these systems become more decentralized and interconnected, a critical need for enhanced security measures arises. Threat modeling is traditionally performed in structured brainstorming sessions involving domain and security experts. We propose a method for the analysis of assets in industrial systems, with special focus on physical threats.
  arXiv  Detail & Related papers  (2024-09-26T07:19:15Z)
• Introducing Systems Thinking as a Framework for Teaching and Assessing Threat Modeling Competency [3.467282314524728]
  We propose using systems thinking in conjunction with popular and industry-standard threat modeling frameworks like STRIDE for teaching and assessing threat modeling competency. Students who had both systems thinking and STRIDE instruction identified and attempted to mitigate component-level and systems-level threats.
  arXiv  Detail & Related papers  (2024-04-25T14:21:15Z)
• Asset-centric Threat Modeling for AI-based Systems [7.696807063718328]
  This paper presents ThreatFinderAI, an approach and tool to model AI-related assets, threats, countermeasures, and quantify residual risks. To evaluate the practicality of the approach, participants were tasked to recreate a threat model developed by cybersecurity experts of an AI-based healthcare platform. Overall, the solution's usability was well-perceived and effectively supports threat identification and risk discussion.
  arXiv  Detail & Related papers  (2024-03-11T08:40:01Z)
• ADMIn: Attacks on Dataset, Model and Input. A Threat Model for AI Based Software [0.0]
  We present a threat model that can be used to uncover threats to AI based software. The threat model consists of two main parts, a model of the software development process for AI based software and an attack taxonomy. We apply the threat model to two real life AI based software and discuss the process and the threats found.
  arXiv  Detail & Related papers  (2024-01-15T20:55:21Z)
• ThreatKG: An AI-Powered System for Automated Open-Source Cyber Threat Intelligence Gathering and Management [65.0114141380651]
  ThreatKG is an automated system for OSCTI gathering and management. It efficiently collects a large number of OSCTI reports from multiple sources. It uses specialized AI-based techniques to extract high-quality knowledge about various threat entities.
  arXiv  Detail & Related papers  (2022-12-20T16:13:59Z)
• Self-Destructing Models: Increasing the Costs of Harmful Dual Uses of Foundation Models [103.71308117592963]
  We present an algorithm for training self-destructing models leveraging techniques from meta-learning and adversarial learning. In a small-scale experiment, we show MLAC can largely prevent a BERT-style model from being re-purposed to perform gender identification.
  arXiv  Detail & Related papers  (2022-11-27T21:43:45Z)
• Towards Automated Classification of Attackers' TTPs by combining NLP with ML Techniques [77.34726150561087]
  We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research. Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
  arXiv  Detail & Related papers  (2022-07-18T09:59:21Z)
• Inspect, Understand, Overcome: A Survey of Practical Methods for AI Safety [54.478842696269304]
  The use of deep neural networks (DNNs) in safety-critical applications is challenging due to numerous model-inherent shortcomings. In recent years, a zoo of state-of-the-art techniques aiming to address these safety concerns has emerged. Our paper addresses both machine learning experts and safety engineers.
  arXiv  Detail & Related papers  (2021-04-29T09:54:54Z)
• A System for Automated Open-Source Threat Intelligence Gathering and Management [53.65687495231605]
  SecurityKG is a system for automated OSCTI gathering and management. It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
  arXiv  Detail & Related papers  (2021-01-19T18:31:35Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.