Enhancing Cybersecurity by Generating User-Specific Security Policy through the Formal Modeling of User Behavior by

Title: Enhancing Cybersecurity by Generating User-Specific Security Policy through the Formal Modeling of User Behavior Author: Arwa AlQadheeb Major Advisor: Siddhartha Bhattacharyya, Ph.D. Despite the ongoing efforts to develop cutting-edge security solutions, the question always remains whether these technologies can overcome system vulnerabilities that often result from poor security practices made by end-users. Recently, some research devoted to study the human role in cybersecurity, especially the psychological aspect. Researchers found that the users’ responses to security-related situations correlate with various elusive factors such as demographics, personality traits, decision-making styles, and risk-taking preferences. That explains why some users neglect to act according to common security tips and advice. The goal of this research is to make cybersecurity maintain a high-level of quality and reliability; we reinforce the policy generated to overcome weaknesses created by the human link in the security chain. To achieve this goal, we developed a formal method-based approach to model and examine end-users security-related behaviors described by Finite-State Automaton (FSA). The methodology initially assesses the cybersecurity behaviors that users exhibit during the use of electronic devices such as laptops, smartphones, or the access to Internet accounts in daily life, spanning four aspects: device securement, password generation, proactive awareness, and updating. Once we identified these behaviors, we created a knowledge repository to represent the behavior using Finite-State Automata (FSA). This enabled

List of Tables 4.1 Comparison between [22] and [27]   Last, but not least, many thanks to my supportive friends for being around during the ups and downs of this beautiful journey, and to every other individual who helped in one way or another to make this course of my life easier and more enjoyable. xi

Introduction
The level of innovation in today's computing landscape changed rather markedly in the past few years. The vast use of different emerging technologies such as Internet of Things (IoT), cloud computing, and artificial intelligence, by organizations and communities, has threaten security and assurance within information systems. Cyber defenders find themselves in an ongoing war with cybercriminals and threat actors who continue to find ways to launch their attacks more aggressively. Attackers practicing manipulative tactics and using available sophisticated technologies made old-fashioned means of protection relatively ineffective to combat increasingly advanced and crafty attacks.
Security professionals remain determined to develop more robust and reliable security solutions in order to be more prepared to deal with cyberattacks. In 2010, John Kindervag, a Security and Risk Principal Analyst at Forrester Research Inc., developed a Zero Trust security model that has a different take on security and revolves around classic security principles, the most important of which is "never trust, always verify." [34].
The assumptions about how a Zero Trust network should behave or operate are different from traditional security models in terms of rules of operation that reflect improvements in adversary strategies, techniques, and observed behaviors. In a Zero Trust environment, organizations have no default trust in any user or any device, whether inside or outside the network's perimeter, ensures that every party is subject to restricted access with continuous authentication and authorization, and verifies that every action made by that party is permitted. For instance, if an intruder was able to get sustained access to an organization's network to reach valuable assets and confidential data, then any lateral movement through the network is more likely to be detected and denied due to the internal strict security access control policy [34].
To better minimize the risk of being exposed to cyberattacks, organizations considering Zero Trust should also pay close attention to the human aspect that is often the most vulnerable component of any security system [27]. The natural structure of humans psychology, the limitation of humans' information processing capacity, and their almost absolute reliance on previous experiences stand in the way of making the right choices [61]. Even though the cost of a breach that results from a human error or a system malfunction is occasionally less expensive than the cost of a breach caused by a cybercriminal or a malicious insider, this should not diminish the consequences of human negligence [53]. Between the period of July 2018 and April 2019, the Ponemon Institute conducted a study based on interviews with 507 companies across 16 geographies that suffered data breaches. The study reveals that the negligence of users is the leading cause of 24% of data breaches, which are worth, on average, around $3.5 million of financial damage. Unintentional and accidental breaches result from so-called inadvertent insiders who had experienced a successful phishing attack or had their devices infected, lost, or stolen. According to the Ponemon Institute, human errors in cybersecurity cost $133 on average per compromised record, and it takes organizations around 181 days and 61 days identify and contain, respectively, a data breach that is related to such careless human action [53].
Most computer systems are designed based on the general perception of the average user as if all users are all the same, overlooking the fact that individuals markedly differ from each other [22] [31]. Because there are individual differences that separate oneself from another and contribute to shaping each individual's form of self [9], one can consequently justify why some people respond and interact differently to one computer system. Recently, in the context of human factors in cybersecurity, researchers and practitioners have begun to examine the psychology of humans to understand users' behaviors toward privacy and security, bearing in mind their differences. Some works showed that individual differences in demographics and psychological constructs (e.g., personality traits, decision-making styles, and risk-taking preferences) have a significant relationship with security behaviors and privacy attitudes. For instance, the geographical region of individuals influences their Internet browsing habits; Norwegians and Japanese tend to browse the Internet more cautiously than their counterparts in Italy and Spain [14], which in turn lower their chances of being exposed to malware-infected websites. Also, differences in personality and gender correlate with users' susceptibility to cyberattacks. Females with a specific type of personality are more likely to be victimized by a cyberattack, such as social-engineering or email-based phishing malicious activities, more than males or other females with different personalities [3][17] [30].
Groups responsible for information systems should help and guide users to make better security decisions. Although considerable research devoted to investigate the correlation between the various traits of personality and users' security-related behaviors, other variables of individual differences gained somewhat less attention, namely decision-making. Analyzing the decision-making process of humans in cybersecurity is an ideal strategy that explains how to improve the abnormalities in users' behaviors.
The fact is that no matter how robust and sophisticated a security system is, computer users could pose a threat to an organization's data either by complacency, ignorance, into a company's system is to try exploiting the weakest link that is humans. From his point of view, the only reliable approach to overcome this problem is to combine security technologies with firm security policies along with proper education programs and training sessions for users [42]. As long as users are the weakest link in cybersecurity, cunning adversaries will continue to seek out and exploit users' vulnerabilities in almost any information security system via every devious possible way. The issue with Mitnick's solution is how to automate the process of having security policies that help with users' security misbehavior and poor decisions. In our research, we offer an ideal approach to impose more control over the user by analyzing the security behavior and then generating user-specific policy within a Zero Trust environment. Our goal is to make cybersecurity maintain a high-level of quality and reliability; we reinforce the policy generated to overcome weaknesses created by the human link in the security chain. The question we address in our research is: How to automatically and satisfactorily generate fair and explicit security policy after observing and analyzing security behaviors, especially security-related decisions, exhibited by end-users in an environment with Zero Trust assumptions? This question breaks down into three component questions:

Q1:
Is it possible to model end-user behavior using Finite-State Automaton (FSA)?
Q2: Is it possible to generate linear-time security properties and then verify the reachability of good and poor behaviors?
Q3: Is it possible to compute the type of security policy that should be imposed on a specific user using the developed formal method that results from 1 and 2?
The answer to the questions mentioned above present a preliminary automated method for generating a user-specific security policy that suggests a new contribution to the extant literature. We further enhance cybersecurity by distinguishing ignorant or negligent users who exhibit poor security practices and pose the most significant security risk on the information system. Chapter 2

Related Work
The study of human factors psychology can lead to a deeper and broader understanding of human-computer interaction, which in turn contributes to make the security system more suitable as well as more convenient for users. This area of knowledge examines how the psychological factors of humans relate to their concerns about the privacy of information, and their compliance with the standard security policies and procedures.
In [60], West (2008) emphasizes the benefits of understanding the process of how people wrap their minds around security matters and make decisions. He says that system design and appearance do not change a thing about security as long as end-users persist in dismissing security warning dialogs, using a weak set of security options, and overstepping security policies and standards by accident. The article claims that humans are driven by fundamental ideas that control the way they visualize security in everyday life and the way they unintentionally compromise security. Individuals incline to think that they are more cautious, which implies the belief that they are less prone to risk than others. Computer users usually think that they have a million-to-one chance to suffer damages because of cyber products. They believe that their engagement in hazardous activities would not matter because they already took intensive security precautions, according to the risk homeostasis theory, which suggests that people adapt their behavior to maintain an equivalent risk tolerance level [60].
Faulty decisions and practices concerning security also arise from the fact that users can make rash decisions by relying on similar past events with assumptions that no longer work [60]. According to the author, among other reasons, safety is just an ab- The human decision-making process is not at its best in situations that involve reflection on risks because there are factors that affect the quality of decisions. Those factors combine internal agents such as foreknowledge or previous experience and environmental agents such as lack of time or situational status [61]. The authors add that comprehending the principles that influence decision-makers helps to create interferences, which would improve the result of their decisions. They declare that there are psychological aspects that justify the reason why people have some form of an impaired decision-making process. One of these aspects is that the capacity of information processing in humans makes them decide quickly based on what seems satisfactory enough.
The other aspect is that humans make decisions out of the memory of past experiences and often fail to evaluate all currently available options [61].
Herley (2009) believes that the claim, which states that Internet users are careless and unmotivated when it comes to security advice, is mistaken and overstated. Indeed people are known for their bad reputation in taking no account of security advisories, preferring easy-to-remember passwords, and most importantly, they are at the top level of inattention about the errors of certificates. The author argues that the reason users are unwilling to behave according to security "advice" is justifiable from an economic perspective. Although security guidance offers users some level of protection from the costs of cybersecurity attacks, it also brings a considerable increase in effort. He thinks that security advice and recommendations available to users are often complicated and abstruse, and their benefits are usually conjectural or questionable. For instance, nearly all passwords' advice is obsolete and unclear regarding the consequences of choosing weak passwords. Plus, almost all, if not all, of certificate errors are just false alarms [32]. Herley (2009) indicates that the reason that users continue to reject matters of security is because time cost that they would have to incur if they took the time inspecting URLs to avoid phishing. Indeed security advice protects against cybersecurity issues, but it comes with a heavy burden of time and effort. Generally, users engage in carrying out a cost-benefit analysis before they apply security advice. They look at the cost of the effort they will put in to follow the advice while the benefit is avoiding the harm that could likely arise from an attack. The harm that results from a cyber attack could be monetary cost, or also effort and time spent to resolve the issue [32]. Harley (2009) explains that although the article is argumentative, and justifying on behalf of users the reason for ignoring security advice, one should not wind up thinking that all security advice is troublesome. On the contrary, it is helpful, but its only flaw is that it does not properly balance out costs and benefits.
Any aware user would realize that the cost of following security advice is far higher than its benefit. In order to change this outcome, there has to be a more compelling trade-off. Harley (2009) suggests that one of the solutions is that professionals and practitioners, who offer security advice, must have a better comprehension of harms that users genuinely endure. He also adds that security experts should dismiss and overlook the least favorable advice because security advice that was in use long ago cannot address the problems users are currently encountering. The other way of change is through dignifying users' effort and time and considering them. It is by noting that overemphasizing the harm of one attack reduces the time and effort that the user pays on other attacks, meaning that when security professionals exaggerate all attacks, users resolve to pay attention to none [32].
Egelman and Peer (2015) express that corporations spend significant resources on preparing workers to interact with information security systems appropriately before they are allowed to access the internal network of the corporation. The authors state that the evaluation and assessment techniques are integral and necessary parts of every security training or education program. Just about all organizations offer end-users the fundamental concepts of cybersecurity through training and education sessions as well as overloading them with advice and tips on how to ensure security while accessing and using the system. By doing so, end-users wind up confounded and disoriented and become trapped in a "bowl of mixed information," lost between which advice to follow and which to ignore. It is for this reason the authors recommend analyzing the general behavior of users as an attempt to determine specific advice that is suitable for each user, which would make it easier to follow and remember [23]. to define users' engagement with network security matters adequately, and therefore, could aid end-users to better respond to various cybersecurity measures [23].
In [22],  say that today's systems do not take into account the differences in users' characteristics. Developers build a design system to meet the majority of the user population. It is about time that system developers began to make the best use of their designs and consider individual differences. They mention that in the field of psychology, researchers have indicated that individual differences have some effect on people's decision-making process. The article suggests that since individual differences constructs can show individuals' perspective towards risk, then they can also foretell their privacy preferences. Experimenters could then develop the scales for these implicit factors to assist in determining the privacy preferences of individuals without the cost of asking them in person. The article also proposes that system design specialists should use measures of other constructs that influence decision-making to customize security warning systems. The writers justify that the reason for studying differences between decision-makers is to have a better knowledge of the effects that are more noticeable in a person who scores low or high on particular individual attributes scales. For instance, the article suggests that people who have weak skills with numbers and mathematics are the most affected by mood and presentation of information [22].
The experimenters agree with the claim that differences between people's attitudes are a reasonable explanation of why their perceptions towards risks also vary. Systems should be created and developed with consideration to users' different characteristics that further should be part of customizing privacy and security mitigations. Egelman and Peer (2015) dispute the Big Five personality model as a useful guide for grasping the privacy preferences of different people. They explain that in addition to using the five dimensions of the Big Five model, evaluating an individuals' decision-making styles, and risk-taking preferences can inform about their privacy attitudes too. They consider that the Security Behavior Intentions Scale (SeBIS), mentioned earlier [23], is an efficient measure to examine security behavior intentions towards device securement, password generation, proactive awareness, and updating. Evaluating people's differences concerning risk-taking preferences and decision-making styles shows strong correlations with their privacy attitudes, which is stronger than the correlations with Big Five personality model [22]. propose that the initial step towards coming down with security safeguards tailored to a specific user requires developers first to recognize the aspects that impact secure online behavior. To do so, they conducted a study to investigate the relationship that exists between variables of culture, personality trait, and users' demographics and cybersecurity behavior. They found out that culture is a strong factor that influences how people preserve their privacy in cyberspace. Among the study findings, participants from the United States of America (USA) reveal much more information about themselves online compared to their counterparts from other countries [7]. More evidence that shows culture can impact privacy attitude is the fact that in USA, online banking is preferable to people than in other countries. Therefore, the authors suggest that creators should consider culture as a factor to predict user's privacy attitudes in the system development process.
In [7], the researchers also observed how personality trait affects security attitude.
They mention that individuals' personality relates to their responses to various kinds of incentives that exist in their surroundings and their reactions to various situations. Gratian, Bandi, Cukier, Dykstra, and Ginther (2017) discuss the fact that the different characteristics of individuals influence their online security behavior. According to the article, the human element in cyberspace is the weakest link and the root cause of many cybersecurity attacks. The need for investigating the correlation between individual differences and security behavior intentions has become far more interesting in the cybersecurity domain. Fulfilling that need would help security practitioners with identifying individuals who are more likely to engage in risky security practices than others. The writers demonstrate that this knowledge is useful for improving the quality of current educational programs in order to enlighten those who put up the most significant cyber challenge. The authors conducted a study to explore the relationship between cybersecurity intentions and the four main individual categories that constitute individual differences. These include personality traits, demographics, decision-making styles, and risk-taking preferences. The work of the study is built on previous research by Egelman and Peer [22] who were among the first who looked into individual differences as predictors of security and privacy attitudes [27]. viduals are keener about security. Concerning gender, the experimenters found out that women tend to choose weaker passwords than men, as well as individuals between the age of 18 and 25. Women are also easy to fall victims to phishing scams more than men [27], corresponding to the same finding of Egelman and Peer [22].
The research states that proactive awareness of security varies according to the various set of demographics. It shows that females have less proactive awareness. Proactive awareness varies with various ages. Those between the age of 18 and 25 exhibit the weakest proactive awareness. Regarding keeping software up-to-date, males are more careful and vigilant than females. Among the 9% of respondents, females exhibit the weakest security practices compared to all other demographic groups included in this study [27].

Chapter 3 Research Methodology
This chapter describes the approach of developing and verifying a formal model of users' security behaviors, which we later use to determine the type of policy that should be automatically generated and then imposed on that specific user. There are plenty of options available for a formal model development approach, differing in complexity from simple to incredibly complex; this can make choosing the best approach a daunting task. The development approach intends to address the issue of some poor security practices that are prevalent among Internet users and further maintain a high-level security system. To have that one approach that fits our goal and have control over how the development process proceeds, we decided to create our own approach to ensure that we precisely implement every detail within the process. Before going ahead with applying our approach and developing the intended formal model, we built an approach framework that helps us remain focused and organized while achieving our goal.
Our comprehensive User-Specific Policy Generation Framework (USPGF) in Figure   3.1 sets out the structure of this research as a whole, the figure shows the development process as a chain of five stages. We have broken some stages into other parts, and each part includes more detailed information about the tools and the techniques we used to develop and verify the formal model. We divided our USPGF to identify and define the various concepts we examine and the relationship between those concepts.
For each stage of the USPGF, Chapter 4, 5, 6, and 7 explain what is needed to improve a secure cyber environment through automatically analyzing given user behavior in order to distinguish threating security practices, and then conclude the appropriate security policy that fits that specific user.

Chapter 4 Selecting Predictor
In this chapter, we formalize user's security-related behavior by taking into account security decisions made by that user. It describes the scope of data collection, comparison, and selection in order to construct a reliable knowledge base that consists of the requirements set for developing the formal model, which we did after reviewing a wide range of possibilities.
As shown in Chapter 2, previous studies have comprehensively investigated the correlations between individual differences in demographics, personality traits, decisionmaking styles, and risk-taking preferences and their influence on users' security-related behaviors in cyberspace. We chose to focus on decision-making because it is experimentally prove to be a stronger predictor of security practices than demographics, personality traits, and risk-taking.
The motivation of this research derived from the observation of two particular earlier studies that are [22] and [27], which were conducted by Egelman and Peer and Gratian, Bandi, Cukier, Dykstra, and Ginther, respectively. Both pieces of research aim to develop tailored security defenses, taking into account differences between individuals, in order to limit users' errors and their resulting consequences. The sample population of [27] included higher education participants from a large public university located in the USA, while Egelman and Peer surveyed a group of individuals from Amazon Mechanical Turk (MTurk) who are over the age of 18. They both made use of SeBIS to carry out their studies; however, Egelman and Peer's area of interest regarding security was investigating the correlations between SeBIS and decision-making psycho-metrics.
Gratian et al. did an extended version of [22] such that they substantiate the accuracy of SeBIS, broaden the use of SeBIS to examine the correlations of personality traits and demographics with security intentions. Researchers used different sets of metrics to conduct their experiment, illustrated in Table 4.1. We can see that both studies use SeBIS, DoSpeRT, and GDMS to serve the same purpose of identifying the relation between security intentions, risk-taking, and decisionmaking. The process of determining how to respond to a particular situation requires risk evaluation, considering future consequences, and exploring possible alternatives.
The natural structure of humans psychology, the limitation of humans' information processing capacity, and their almost absolute reliance on previous experiences stand in the way of making the right choices [61]. Failing to determine what is the right thing to do and vice versa is a critical matter in cybersecurity. If some individuals decided to leave their device unattended in public, set up a password that is easy to guess or hack, rush to download an anonymous email attachment, or underestimate the importance of software updates, they are more at risk to be victimized by a crafty individual.
We consider modeling security behaviors with each user's behavior a sequence of different connected decisions. Each decision correlates with particular SeBIS construct: device securement, password generation, proactive awareness, or updating. Using the findings that we collected from [22] and [27], Tables 4.2 and 4.3 shows the correlations between SeBIS and GDMS, which measures decision-making across five dimensions: • Rational: Evaluating situations logically before making decisions.
• Dependent: Counting on and looking at others to make decisions.
• Intuitive: relying on instincts to make decisions.
• Spontaneous: Making rapid and hasty decisions.

Model Considerations
It is challenging to model human-machine interactions because of the complexity of human behavior and the broad set of knowledge requirements. Although we chose a specific knowledge base, it is still difficult to model and examine every aspect of a user's security-related behavior that is relevant to device securement, password generation, proactive awareness, and updating. To model user's behavior across the different aspects of SeBIS, we built an architecture that supports decomposition of behavior.  The knowledge base architecture includes different levels of abstractions, in order to ease the debugging and lessen the complexity. We decomposed the structure into different sorts of security services on multiple layers, starting from (1) as the highest level of abstraction and ending with (4) as the lowest level of abstraction. By doing so, we eliminate a fair bit of confusion around which security aspect we employed for a specific SeBIS dimension, double-check that each aspect of the model is covered, and ensure that the quality of the model is at its best by not mixing the levels of detail.
Although decomposition ensured that our architecture is no longer monolithic, it ignores interactions between behaviors.

Levels of Abstraction
Here, we illustrate each level of abstraction in detail.
• Layer (1) is the most abstract of the four security service check layers. It assimilates the SeBIS concepts: device securement, password generation, proactive awareness, and updating that are specified by Egelman and Peer.
• Layer (2) breaks down SeBIS concepts into four security settings (i.e., device protection, update mechanism, password age, and attention to threats) either to check for possible additional sub-services or not based on the user decision.
• Layer (3) has a sub-tree that descends from the screen-locking feature and is enabled by what the user chooses. This level is the latter for device securement, updating, and proactive awareness.
• Layer (4) covers as much as possible of password generation details because passwords are the first line of defense against cybercriminals gaining access to sensitive data. Too many users underestimate password vulnerabilities by choos-ing common passwords, ignoring simple advice about password strength, and neglecting good password practices.

Model Paradigm
The modeling paradigm was selected after looking at several possible techniques of modeling, including Markov chains and architectural representations. We decided that the most appropriate method of representing user behavior is through the use of a Finite-State Automata (FSA) because it allows us to visualize the graphical diagram of the user's behavior easily. It enables the use of well-defined tools to perform automated analysis early in the design phase, which would empower us to reason about the logical representations of the user's behavior at the time and to evaluate alternative design options in case there were profound implications. We developed the models that are representing our knowledge base by following the principles of Finite-State automata (FSA) [48].
In order to choose the correct platform for the purpose of designing and verifying the formal model of user's behavior, several formalisms such as NuSMV [18], Uppaal [56], PVS [47], and Z3 [44] were considered carefully. We chose Uppaal [11][36] [56], due to its ability to model timing aspects that are critical for cybersecurity, as well as its ability to generate and visualize counterexamples. Uppaal represents models as timed automata, and Uppaal formalism enables compositionality supports model checking over networked timed automata using temporal logics. This modeling paradigm allows the execution of requirements as temporal logic queries to check the satisfaction of relevant safety properties exhaustively. We next describe the timed automata formalism used by Uppaal.

Mathematical Representation Within the Model Paradigm.
Uppaal uses timed automata [4], a subset of hybrid automata, as a modeling formalism.
One of the essential requirements in the design of human-machine interactions is to be able to model the time associated with the execution of operations or rules. A timed automaton is a finite automaton extended with a finite set of real-valued clocks. Clock or other relevant variable values used in guards on the transitions within the automaton.
Based on the results of the guard evaluation, a transition may be enabled or disabled.
Variables can be reset and implemented as invariants at a state. Modeling timed systems using a timed-automata approach is symbolic rather than explicit. It allows for the consideration of a finite subset of the infinite state space on-demand (i.e., using an equivalence relation that depends on the safety property and the timed automaton), which is referred to as the region automaton. There also exists a variety of tools to input and analyze timed automata and extensions, including the model checker Uppaal and Kronos [12].

• Timed Automaton (TA)
A timed automaton is a tuple (L, l 0 , C, A, E, I), where: L is a set of locations; l 0 ∈ L is the initial location; C is the set of clocks; A is a set of actions, co-actions, and unobservable internal actions; E ⊆ L × A × B(C) × 2 C × L is a set of edges between locations with an action, a guard and a set of clocks to be reset; and I : L → B(C) assigns invariants to locations.
We define a clock valuation as a function u : C → R ≥0 from the set of clocks to the non-negative reals. Let R C be the set of all clock valuations. Let u 0 (x) = 0 for all x ∈ C. If we consider guards and invariants as the sets of clock valuations (with a slight relaxation of formalism), we can say u ∈ I(l) means u satisfies I(l).

• Timed Automaton Semantics
Let (L, l 0 , C, A, E, I) be a timed automaton T A. The semantics of the T A is defined as a labelled transition system ⟨S , s 0 , →⟩, where S ⊆ L × R C is the set of states, s 0 = (l 0 , u 0 ) is the initial state, and →⊆ S × {R ≥0 ∪ A} × S is the transition relation such that: where for d ∈ R ≥0 , u +d maps each clock x in C to the value u(s) + d, and [r ↦ → 0]u denotes the clock valuation which maps each clock in r to 0 and agrees with u over C \ r.
Note that a guard g of a T A is a simple condition on the clocks that enable the transition (or, edge e) from one location to another; the enabled transition is not taken unless the corresponding action a occurs. Similarly, the set of reset clocks r for the edge e specifies the clocks whose values are set to zero when the transition on edge executes. Thus, a timed automaton is a finite directed graph annotated with resets of and conditions over, non-negative real-valued clocks. Timed automata can then be composed into a network of timed automata over a common set of clocks and actions, consisting of n timed automata T A i = (L i , l i0 , C, A, E i , I i ), 1 ≤ i ≤ n. This enables us to check reachability, safety, and liveness properties, which are expressed in temporal logic expressions, over this network of timed automata. An execution of the T A, denoted by exec(T A) is the sequence of consecutive transitions, while the set of execution traces of the T A is denoted by traces(T A).

Chapter 6
Generating Linear-Time Security

Properties
The set of specifications (i.e., properties), which we expect the formal model to meet, are originally generated as ideas stated in natural language, later translated into a more formal and well-defined language in order to be readable and refined by computer machines [28]. In the following sections, we first discuss the fundamental concept of lineartime properties and some significant, though relatively simple, types of such properties.
Second, we describe the formal language that is used in Uppaal to encode model specifi-

cations. Uppaal uses a formal language called Timed Computation Tree Logic (TCTL).
Finally, we illustrate the security properties of our knowledge base that we have generated through Uppaal to check and verify whether the design of our developed model is valid or not.

Overview of Linear-Time Properties
A linear-time property is an essential prerequisite for the traces of transition systems [7]. The linear-time property specifies the traces that one requires the transition system to exhibit. In an ideal situation, a linear time property explains the behavior of systems in the process of execution. In the next two subsections, we discuss the different aspects of linear-time behavior, deadlock, invariants, and liveness properties as related to lineartime properties. In the course of the work, we outline the basic concepts that make up the linear temporal system and discuss an in-depth of the linear-time properties.
A linear-time property is simply a ω-language, set of infinite-length sequences of symbols, over 2 AP where AP is a set, finite or countably infinite, of atomic propositions. Programs that are not divergent (e.g., endless loops), usually have a terminal state without outgoing transitions. When a system stops at the instance when at least one component is in a non-terminal state, the result is a deadlock scenario. In the deadlock scenario, at least one element should continue when the system has halted [7]. Typically, a deadlock scenario happens when the components in a system mutually depend or wait upon each other to progress. Mathematically, the interpretations of linear-time properties are represented as follows: 1. By letting P be a linear-time property over AP and T be a transition system over AP too in a system without terminal states, then in this case T satisfies P, expressed as: T P, when T races(T ) ⊆ P.
2. Letting π ∈ Paths(T ), then it translates to mean that π satisfies P, expressed as: π P, when T races(π) ∈ P. s P, when T races(s) ⊆ P Generally, P is satisfied by a transition system T when all the traces are in P. The main idea in the above statement is that P contains all the admissible behaviors of the transition system.
In a condition where two transition systems T 1 and T 2 have a similar set of traces, then it is expected that they satisfy the same Linear-time properties. Assuming T 1 and T 2 have similar traces and let P be an arbitrary linear-time property, if in any case T 1 P, then T races(T 1) ⊆ P, implying that T races(T 2) ⊆ P since T races(T 1) = T races(T 2). When dealing with software design, it is essential to note the above expressions because if T races(T 1) ⊆ T races(T 2), then T 1 is a correct implementation of T 2. T 2 is considered an abstract model, while T 1 is treated as one particular implementation. Generalizing the above statement, T 1 cannot have properties that are not exhibited in T 2.
A transition system representing the computer system depends on either a statebased approach or an action-based approach. An action-based view is derived from states and meticulously relegates to the action labels [7]. The state-based approach is derived from actions, but the labels contained in the state sequences are consideredtransition systems model the hardware and software systems. The verification algorithms are based on the state graph defining a transition system. Along with execution, some sequences take the form of L(s 0 ), L(s 1 ), and L(s 2 ) and register valid sets of atomic propositions. The sequences described above are referred to as traces. In examining the linear-time properties, we shall consider the following traces in a simplified mode.

Invariant
An invariant refers to a linear-time property that is provided by Φ condition for any given states and remains true for all the reachable states. A good example is described by in mutex property Φ = ¬ crit 1 ∨ ¬ crit 2 . Invariants are safety properties that define that no bad activity should happen. A typical safety property occurs where there is mutual exclusion property. That is, a bad thing having > 1 process never occurs. Deadlock freedom is another example of a typical safety property. If there is propositional logic formula Φ AP, then a linear-time property P inv over AP is an invariant in the sense that: where Φ is referred to as the invariant condition of P innv .

Liveness Properties
Liveness properties compliment safety properties in the assertion that "something good will happen." Doing nothing indicates that nothing terrible will happen, and therefore, it approves a safety property. While finite traces represent safety violations, liveness violations are represented by infinite traces. In a wrap up about the linear-time properties, liveness property does not practically rule out finite behavior [7]. Instead, the liveness properties constrain the infinite behaviors. Every trace that refutes a safety property contains a finite prefix. Two underlying factors remain un-refuted. First, invariants refer to safety properties having bad prefix Φ * (¬ Φ). Second, a safety property is only regular when the sets of wrong prefixes are a regular language.
The set of systems TS of the reachable transition state is established by a search logarithm. A sequence of (I) atomic preposition sets is referred to as a trace. A transition system TS trace is achieved by projecting the possible paths of the sequence state labels. ist unrealistic traces, to rule out these unrealistic traces, fairness assumptions are used [62]. The fairness assumptions consist of strong, unconditional, and weak constraints that occur with infinite executions. Determining liveness properties requires fairness assumptions, but as long as they are realized, they are irrelevant for safety properties.

Specification Language in Uppaal
The process of verification in Uppaal operates with a specific type of query language that is used to specify a set of properties that need to be examined. The query language is a subset of Computation Tree Logic (CTL) called Timed CTL (TCTL) [10]. The syntax of the Timed Computation Tree Logic is expressed as follows: • a is an atomic action.
• g is a clock constraint.
• E means "for some paths." • A means "for all paths." • J is an interval whose bounds are natural number.
TCTL is similar to CTL in having temporal connectives that are expressed as pairs of symbols. Such that, the first element of the pair represents one of the path quantifiers that is either A or E whereas the second element of the pair is one of the state quantifiers that is one of the following: • G means "all states in a path." • F means "some state in a path." In

Device Securement
• Device Protection We chose device protection as the first criterion for device securement. It means whether or not users protect their devices by passwords, PIN codes, fingerprints, or patterns. Even though locking devices of all kinds is a simple security task, it is sometimes undervalued by end-users. In the Pew Research Center survey, conducted in 2017, 28% of American mobile phone users reported that they do not use PIN codes or any other security feature to access their smartphones [46]. This matter of security is a lot more critical in the work environment. Because; for instance, if some employees are working outside the workplace using portable devices (e.g., laptops, tablets, or smartphones) as their primary work computer, they could leave the device unprotected in some places as in a hotel room or a car. By doing so, if their device is stolen, it is already unlocked, and the company's data would be in the hand of an unauthorized individual. Most organizations require this control for devices holding their data, but it may be hard to monitor and enforce across all ecosystems and devices.
• Screen-Locking Password-protected screen saver feature is about setting up the device to lock off automatically after some time of inactivity. Some end-users find it a little troublesome thing to do when they have to consistently login again every moment the timeout is exceeded. Others have a low perception of the threat; they believe nothing would go wrong since they are around their portable devices almost all the time, especially smartphones [1]. Some others do set a password-protected screen saver, but they adjust the default timeout time (i.e., often 15 minutes) to a much longer time [55]. We examine this side of device securement because leaving the device without a password-protected screen saver would allow malicious individuals (e.g., insider threats) to access data or perform some tasks they are not entitled to see or do [15]. Insider threat is one of the most difficult security issues; malicious insiders can put the organization at a greater risk than outsiders because they are more familiar with security infrastructure, practices, and vulnerabilities.
They can more easily avoid detection and remain hidden for a long period of time.
In Table 6.2, we can see how we translate the criteria mentioned above into Timed CTL formulate whereas Figure 6.5 depicts device protection, screen-locking, and screen-locking timeout state-transition graphs, respectively.

Password Generation
• Password Age The problem of passwords is a perennial in cybersecurity. Much advice is given, and policies are enforced, but still the problem of weak passwords is constantly growing. Setting a maximum password age is one of the traditional techniques for maintaining proper password hygiene. It requires users to change their passwords in a periodic manner, typically between 30 and 90 days [8]. Habib et al.
(2018) state that some works of study have implied that forcing users to change their password repeatedly does not lead to better security. Their study shows that 82% of the participants coincided that this technique had a positive influence on password security, and accordingly would reflect some significant reduce in password-guessing attacks [29]. Some might argue that scheduled changes make the passwords harder for users to remember, and thus more likely to be stored insecurely. Users are adjusting and developing coping mechanisms to overcome this burden by making some alterations to their current passwords. We included this rule to our set of specifications to show an example of the variety of criteria that can be included in the knowledge base.

• Password Length
People want to protect their personal information, but they are not willing to pay a little more effort for it. The biggest example of this is that despite the continuous security warnings that alert users about the use of weak passwords and the serious consequences that result from such behavior, they still use short and easy-to-remember passwords. According to the Psychology of the Password Report, 47% of people who participate in the study declared that they prefer to choose easy passwords because they are afraid of forgetting them [37]. Martin et al. (2012) illustrate that guessing a password through a brute-force attack is most likely unsuccessful against long and complicated passwords that contain capital and small letters, digits, and symbols. They mention that cracking a complicated password with lengths of 4, 8, or 16 characters would take approximately 81 seconds, 210 years, and 1.4 quintillion years, respectively [41]. According to Maddox and Moschetto (2019), when users assign a password for some account, they should maintain an adequate length, avoid well-known character substitutions, and use a variety of letters, numbers, and special characters [40]. We thought that the length of a password is necessary to look at to identify those whose accounts are vulnerable to password attacks.
• Password Re-usability With so many accounts to handle and keep track of, it can be tempting for users to use one password across them all and bring themselves some peace of mind; users might live to regret it. Re-using the same password for multiple sites carries more risk than writing down separate passwords on a piece of paper. If individuals decided to assign one password for their different accounts, they would allow attackers to compromise other accounts that use the same password [33].
The struggle with password protection is that the majority of end-users acknowledge the risk and the consequences of password re-use; yet, 35% of them ignore this knowledge in favor of remembering their easy and familiar passwords [37].
We chose to cover this aspect of password generation because, in the worst-case scenario, the resulting risk is not limited to the end-users but extends to the workplaces and coworkers if they re-use the work password for some other personal account. Table 6.3 lists the equivalent expressions of password age, length, and reusability in Uppaal specification language. In Figure 6.6, we can notice the statetransition graphs of password generation aspects.  There is no doubt that the interest in cybersecurity is growing and expanding, making people more educated and cautious about online information sharing, fake e-commerce sites, scams, and security threats. There is always a "but" in this imperfect world because there is a significant number of people who lack digital security awareness and education, which in turn affect their ability to recognize threats even if there were apparent signs. End-users would not be able to protect themselves from identity theft if they were unable to spot a sign of spyware on their device, recognize a social engineering attempt, identify phishing or spoofing email, or any other elusive activities. According to Verizon's Data Breach Investigations Report (DBIR) (2019), the phishing attack was one of the leading causes of data breaches. It was a contributing factor in 32% of confirmed data exposures, and 78% of cyber-espionage incidents [58]. On account of this, we stressed the importance of spotting early warning signs by investigating the users' ability to recognize and avoid phishing scams before it is too late.

• Report Threat
In "If You See Something, Say Something R ⃝ " national campaign, which raises public awareness of the indicators of terrorism-related crime, we are encouraged to report the authorities if something does not seem quite right to keep ourselves and our communities safe [45]. It is exactly the case in organizations' environments; reporting possible security incidents can save valuable crucial time in the early stages of breach detection [21]. If employees know about cyberattack types and how they look and occur, they are more likely to notice unauthorized changes that have taken place on their systems. They probably would be more confident and willing to reach out to the IT department. Lack of cybersecurity awareness, training, and vigilance, and miscommunication between employees and the IT team would make the former hesitate and question themselves whether they have caught something real or not. In this research, this condition is enabled by the previous security aspect since users would not report something they did not notice in the first place. The idea of including this area of interest to our research is to determine whether users are truly not educated enough, or they are just too reckless to report such urgent matter.

• Policy Compliance
Identifying, determining, and handling risks to the confidentiality, integrity, and availability of an organizations' assets is a top-notch priority. Security policies and procedures are part of the hierarchy of any organizations' management control to maintain the security of sensitive data, the most critical asset, from the complex and ever-evolving threat landscape. One of the biggest concerns for any organization is how to protect data from its employees [2]. Security policies and guidelines are put in place to draw a line for employees between what is accept-able and unacceptable to do when they interact with the information system. The problem lies in the employees' non-compliance [49]. According to Mutlaq et al.
(2016), non-compliant behavior can be categorized as: first, deviant behavior that is driven by intentional or planned desire to harm the organization entity. Second, negligent behavior that is intended to go against security policy but with no malicious intent to cause harm. Third, ignorant behavior that steams from unawareness due to a lack of cybersecurity knowledge and training. With these different interpretations of security policy being violated, we were eager to look into end-users' adherence to security policy it eases the process of identifying the right policy actions to impose against a specific user. Table 6.4 shows the linear-time properties that have been generated to investigate the knowledge base aspect of proactive awareness. We can see in Figure 6.7 the graphical representation of proactive awareness criteria.  to make decisions. In contrast, the manual update allows users to gain better control over their devices by choosing which update to install and when. There is no certain position where we can say that one mechanism is better and safer than the other because it all depends on users' behaviors regarding this matter. It may come to mind that the automatic mechanism appears as a more responsible selection. Still, the manual update is responsible as well in case end-users ensure that their systems are up-to-date as soon as a new update is available. We chose including users' preferences of the updating mechanism to observe their behaviors from different angles with respect to their differences.

• Time to Update
While some software updates and patches are released to address security bugs that have been discovered in previously installed software, some end-users avoid or delay the installation because they consider that these incremental updates are just useless technical additions [57]. Herein lies the risk for those users who download and install updates manually after they were available a while ago. Users always encouraged to apply security-related updates for their operating systems and important applications as soon as possible after those updates are released.
The reason for this is that after vulnerabilities are disclosed, it is only a matter of time, sometimes not much time at all, before cybercriminals use that information to create exploits. We discern from this that delaying the installations of the latest updates and patches forms windows of opportunities for malicious individuals to exploit open security vulnerabilities on the users' devices [52]. We investigate how long it takes end-users to apply available updates to identify those how are negligent and pose the greatest risk to cybersecurity systems.

• Time To Reboot
Software developers have unremittingly endeavored to improve security by excluding the user role from the software update cycle. They found that user intervention remains a must because some updates require a device reboot to allow changes to take effect [59]. There are operating systems, such as Microsoft Windows, developed to alert users if a reboot is required after updates are installed. In this case, the system shows up a notification pop-up that a reboot will occur within a while (i.e., usually 10 minutes). Users are given the option either to reboot the device immediately or to postpone for an additional specific time. If users chose to postpone, the warning dialog would appear again with the same options [59].
Users delay the rebooting task because they might have some pressing matters that keep them from rebooting for a couple of hours. The decision to postpone rebooting more than once could negatively impact the security of the device because, for the computer system, the update installation is not completed. We observed this aspect of updating to draw the attention of negligent and unaware users to the importance of immediate reboot if required. dating mechanism, time to update, and time to reboot as Finite-State Automata (FSA). Moving a step closer to achieving our purpose, we elucidate our method and generate the appropriate policy, which best meets a particular user's security needs.

Automated Analysis
We seek to analyze users' behaviors in order to make a careful analysis and draw out their poor security decisions that have a significant impact on the security system. To ultimately achieve our goal, we designed six test cases that cover as much as possible of different security behaviors exhibited by users in real-world scenarios that revolve around device securement, password generation, proactive awareness, and updating. For each test case, we represent the user's behavior as a state-transition graph using the Uppaal tool 1 , manually generate user-specific linear-time properties, apply reachability analysis, and generate user-specific policy. The first three steps fall within the fourth stage of our User-Specific Policy Generation Framework (USPGF). In this section, we demonstrate one example of these test cases as an illustration of our formal methodbased approach.

Representing Test Cases
In order to have reliable test cases, we had to make several assumptions and predictions of how some users might behave and make security-related decisions. In one test case, we created a scenario with a user named Tom, who works as a Data Entry Specialist at a network marketing company. Tom is assigned a laptop to perform duties directly related to the business of the company and to allow him to work remotely and outside of regular working hours. On this basis, the company requires him to be responsible and take reasonable precautions to protect and maintain the laptop and its content. For this research, we are focusing on capturing Tom's security behavior rather than his system role. Figure 7.1 represents the state-transition graph of Tom's security-related behavior.

Generating User-Specific Security Properties
In the previous section, we have successfully managed to draw the user's security-related behavior through the modeling graphs of Finite-State Automata (FSA). We made Tom deliberately exhibit different good and poor security behaviors regarding device securement, password generation, proactive awareness, and updating. In order to automatically analyze Tom's behavior, we needed to create linear-time properties manually, which are generated specifically for Tom. In Table 7.1, we combined the resulted properties with knowledge base properties that we previously specified in Section 6.3, Chapter 6. We are generating these properties in order to distinguish the aspects where Tom has failed to apply proper security practices.

Rechability Analysis
Reachability analysis or model checking is a verification procedure for models that are designed based on the state-transition concept. According to Kong et al. (2015), reachability analysis is a technique used in a state-transition system in order to find out the type and number of states which can be accessed through a particular system model [35]. Reachability analysis allows formal analysis for validation, verification, and performance, explained as follows: • Validation: A simulation of the process is shown where the model should reflect what it indented to represent.
• Verification: A checking process is carried out to ensure that the specifications meet the model that is built.
• Performance: A set of predictions about the key performance indicators is made.
Among these procedures, we are only verifying whether our specifications (i.e., properties) holds in any, some, or all state of user's behavior model. According to Eleftherakis et al. (2001), "A model checker takes a model and a property as inputs and outputs either a claim that the property is true or a counterexample falsifying the property." [24]. Figure 7.2 shows the model checking approach that we used to check if our model conforms to its specifications or not [7]. In this research, we favored reachability analysis over other methods such as graph matching approach because it provides the opportunity to intensely and automatically check all possible paths in which security properties might not be satisfied. Reachability analysis helps with determining the general drawbacks while designing the formal model, and validating that the basic behavior of the model is as expected.

Generating User-Specific Policy
In this section, we generate and define a set of policies to be imposed on specific users who exhibited poor security practices. The type of policies to be enforced depends on the users' decisions that represent their adherence to the rules set, which we established for each security aspect highlighted in this research: Device Securement (DS), Password Generation (PG), Proactive Awareness (PA), and Updating (U). We assign each security aspect one of three standardized policy types that we drafted as follows: After analyzing users' security-related behaviors and determining the appropriate policy for each security aspect, we generate one general security policy for each user.
This general policy is composed of four policies that have been assigned previously for device securement, password generation, proactive awareness, and updating. We formulated the resulted general policy in the following manner: • u is the user under test.
• G/B indicates the behavior (i.e., Good or Bad).
• t represents the type of policy to be imposed.
As per the formal description of the general policy, we can determine the appropriate policy that is suitable for Tom to be as follows: Yes, TCTL language used to generate linear-time properties, and thus, a reachability analysis is enabled and done through Breadth-First Search algorithm (BFS).
Q3: Is it possible to compute the type of security policy that should be imposed on a specific user using the developed formal method that results from 1 and 2?
Yes, after observing security behavior and analyzing security behavior, the appropriate policy was assigned to address security gaps caused by specific user.
We designed our models as a deterministic. The deterministic approach that we applied to model users' security-related behaviors means that we specified the inputs of knowledge base variables, which means that we expected how users behave and already know where their security weaknesses lie. Our designing approach comes at the cost where realism is almost non-existent. The analysis technique that we have performed is as close as possible to be static in which we examined user-machine interactions and performed the verification process within a non-run-time environment. Our future work will consider many different pieces of research, adjustments, and examinations that we had to left for extensive future investigations due to lack of time. Forthcoming research would involve conducting surveys, expanding knowledge base, and gathering more realistic data from information technology personnel and cybersecurity experts.
We would apply more in-depth and more dynamic analysis to allow examining end-users and their security decisions in a real-time environment and monitoring their security awareness and their behaviors over time. This will enable us to check if any previously imposed policy needs some adjusting or revising.