Module 2 human capability behavior and information security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 57

Module 2 Human Capability, Behavior and Information Security PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

Module 2 Human Capability, Behavior and Information Security. Azene Zenebe, Ph.D., and Lola Staples, M.Sc. Management of Information Systems Department Center for Business and Graduate Studies, Room 3330 14000 Jericho Park Road, Bowie, MD 20715 . Presentation Outline. Overview

Download Presentation

Module 2 Human Capability, Behavior and Information Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Module 2 human capability behavior and information security

Module 2Human Capability, Behavior and Information Security

Azene Zenebe, Ph.D., and

Lola Staples, M.Sc.

Management of Information Systems Department

Center for Business and Graduate Studies, Room 3330

14000 Jericho Park Road, Bowie, MD 20715

Human Cability, Behavior and Information Security


Presentation outline

Presentation Outline

  • Overview

  • Introduction

  • Human Capability and Security

  • Factors for Human Capability

  • Models in Human Computer Interaction (HCI)

  • Importance to Usability of Security Systems

  • Human Behavior and Security

  • Summary

  • Discussion Questions


Overview

Overview

  • Users are not always capable of performing the right decisions regarding security.

  • If users have to invest too much mental effort in working out how to operate security systems, they will be less efficient and make more errors.

  • Human – security system interaction is a cognitive activity.


Objectives

Objectives

When you complete this module, you will be

able to:

  • Describe human capability

  • Discuss factors that determine human capability

  • Describe the relationship between usability of security systems and human capability

  • Discuss human behavior in security systems

  • Determine factors affecting human behaviors in security systems

  • Conduct a study of user behaviors in a security system


Introduction

Introduction

  • Users interact with computer and information security systems differently and have different behavior.

  • The purpose of this module is to provide definitions, background and theoretical framework for human capability and behavior in relationship to the usability of computer and information security systems.


Human capability and security

Human Capability and Security

  • Humans carry out tasks in which information is created, accessed and/or manipulated.

  • The more complicated the interaction with the computer systems the more frustrated users become and the more distracted they are from their real tasks.

  • Users are not always capable of performing the right decisions regarding security.


Human capability and security1

Human Capability and Security

  • Several studies indicated that:

    • The mechanism for encryption, authorization or authentication can be difficult for people to understand or use.

    • People often fail to recognize security risks or the information provided to alert them.

  • Computer interaction is a cognitive activity that involves processing of information in the mind


Human capability and security what is cognition

Human Capability and Security - What is Cognition?

  • What is cognition?

    • Cognition is the process of recognizing, interpreting, judging and reasoning

    • Cognition involves high level intellectual functions carried out by the human brain including:

      • planning

      • problem-solving

      • self-monitoring


Factors for human capacity

Factors for Human Capacity

  • Key factors that effect the way users interact with computer systems are:

    • Our sensors

    • attention

    • memory (sensory, short term and long term)

    • learning and

    • mental models

  • Putting all these factors together leads to the Human Information Processing Model


Factors sensors

Factors - Sensors

  • Perception – The process of seeing an active process:

    • mainly visual environmental information

    • can be previously stored knowledge

    • provides a more constant view of the world

    • highly related to user interface with security systems

      • should be legible

      • distinguishable

      • comprehensible

      • uncluttered and meaningfully structured


Factors attention

Factors – Attention

  • Attention - Our capability to attend

    mass of information at one time.

    • We can see, hear, and smell at one time.

    • We are multi-tasking

    • Hence few tasks or decisions receive our full attention at any given time


Factors memory

Factors - Memory

  • Memory - Our ability to store and remember.

  • There are three main types:

    • sensory memory (SM)

    • short term memory (STM)

    • long-term memory (LTM)


Factors sensory memory sm

Factors - Sensory-Memory (SM)

  • SM retains an exact copy of what is seen, heard or touched

    • mainly visual and auditory

  • SM lasts only a few seconds or

    • approximately to 300 milliseconds

    • has unlimited capacity 


Factors short term memory stm

Factors-Short Term Memory(STM)

  • Clark (2004) states that the selective attention determines what information moves from sensory memory to short-term memory.

  • STM works like RAM memory

  • STM provides a working space and is vulnerable to interruption or interference


Factors stm

Factors - STM

  • STM has the ability to retain a limited capacity of up to 7 pieces of independent information with a single aspect, i.e., actually, 7 +/- 2 “chunks.”

  • 7 is called the Millers Magic Number

  • Duration of these items last from 3 to 20 seconds


Factors stm chunking

Factors - STM: “Chunking”

  • “Chunking” allows the brain to automatically group certain items together, e.g., a telephone number.

  • We remember phone numbers by their aspects of 2 or more groupings.

  • We don't really remember "seven" numbers


Factors long term memory ltm

Factors - Long Term Memory (LTM)

  • LTM defined by Clark as relatively permanent storage…

    • information is stored by meaning and importance.

    • Information can be stored for extended periods of time

    • capacity limits are unknown

  • Information moves from STM to LTM


Factors long term memory

Factors - Long Term Memory

  • Information moves from STM to LTM by

    • rehearsal

    • practice …and

    • use in context.

  • “LTM stores interrelated networks of mental models of the world that form intricate knowledge structures.”


Factors long term memory con t

Factors - Long Term Memory (Con’t)

  • According to Clark (2004):

    • LTM has a strong influence on perception through top-down processing…

    • Our prior knowledge affects how we perceive sensory information…

    • Our expectations regarding a particular sensory experience influence how we interpret it….this is how we develop bias.


Factors learning

Factors - Learning

  • Learning is acquiring new knowledge, behaviors, skills, values, preferences or understanding, and may involve synthesizing different types of information.

  • The ability to learn is possessed by humans,animals and some machines


Factors mental model mm

Factors - Mental Model (MM)

  • MM is a set of beliefs about how a system works.

  • Users interact with systems based on their MM.

  • Some properties of MM:

    • Enable users to understand the working of a security system.

    • Can be built-on-the-fly from knowledge of prior system experience, training, and interaction

    • Is unstable and subject to change

    • Contains minimal information


Factors human processors hp

Factors -Human Processors (HP)

  • HP in information processing Involves:

    • Encoding the information into some form of internal representation

      • This is related to perception

    • Comparing this representation with previously stored representations in the brain

      • this is related to attention and memory

    • Deciding on appropriate responses; and

    • Organizing a response and necessary action


Module 2 human capability behavior and information security

The Information Processing Model Humans have a limited capacity for processing information due to the nature of our memory, processors and sensors such as sight, touch and hearing.

Figure: The Information Processing Model (Clark, 2004)


Models of human performance

Models of Human Performance

Models of Human Performance

  • A simple model of human cognition is empirically developed by Card, Moran, Newell in 1983.

  • The components are Senses, Sensory store, Short-term memory, Long-term memory, and processors.

    • Processors cycle time of 50-200ms

    • Memories have type, capacity and decay time

    • See Figure for the Model Summary


Human performance summary

Human Performance – Summary


Importance to usability of security systems

Importance to Usability of Security Systems

  • Knowledge of human capability helps:

    • Predict what users will remember, retain, understand and use.

    • Plan on how to make new security related knowledge and information retained in user’s Long Term Memory during training.

    • Use chunking in presentation of security information and codes such as passwords, access codes, etc. to users.


Amount of human effort required examples pki

Amount of Human Effort Required – Examples PKI

  • Things PKI end-users have to learn(Sasse, 2006):

    • How to create keys

    • How to import a trust anchor

    • How to import a certificate

    • How to protect your private keys

    • How to apply for a certificate in your environment


Amount of human effort and security examples pki con t

Amount of Human Effort and Security – Examples PKI (Con't)

  • Things PKI end-users have to learn(Sasse, 2006):

    • How to turn on digital signing

    • How to install someone’s public key in the address book

    • How to get someone’s public key

    • How to export a certificate


Models in human computer interaction hci

Models in Human Computer Interaction (HCI)

  • Designer’s Model: The way the designer represents the application

  • Programmer’s Model: The actual way that a system works from a programmer’s perspective.

  • User’s Mental Model

    • The way that the user perceives how the systems works.

  • User model: incorporates the cognitive and performance characteristics of a user


Interaction design model

Interaction-Design Model

Designer’s Model, User’s Mental Model and System images

Source www.interact-design.org/images/figures/mental_models.gif

Human Cability, Behavior and Information Security


Importance of mental models to usability

Importance of Mental Models to Usability

  • For Learning & retaining systems’ operations

    • Correct mental models => more usable => users are effective, efficient, and satisfied

  • An inaccurate mental model of what is happening in a system leads to errors.

  • Ideally,interface and system shall be consistent with our natural mental models about computers, environment and everyday objects.


Quick quiz

Quick Quiz

  • Why do we have difficulty in remembering some of our passwords?

  • Where do humans store passwords and how do we recall them?

  • Explain the role of STM, LTM, and Chunking while using simple and complex passwords.

  • What are the different tasks to be completed to use a firewall a) by end-user, b) by system administrator?

  • Compare and contrast user model, mental model, designer’s model and programmer model.


Human behavior and security risks

Human Behavior and Security –Risks

  • People exaggerate risks that are (Bruce Schneier, 2007 ) :

    • Rare

    • Personified

    • Beyond their control

    • Intentional or man-made

    • Immediate

    • Rapidly occurring


Human behavior and security risks con t

Human Behavior and Security – Risks (Con’t)

  • Users minimize their risk and tend to:

    • Not think they are at risk

    • Not give security their full attention

    • Instead focus on their goals, such as completing a task….e.g., completing their on-line payments, reading e-mail with attached file

    • Think of security and safety as abstract concepts resulting in quick decisions without considering all the risks, consequences and options


Human behavior and security risks con t1

Human Behavior and Security – Risks (Con’t)

  • Examples of risky behavior:

    • Opening a file with attachment from unknown sources where a user does have a great interest in the content of the file from its subject heading

    • Download and installation of an ActiveX control from an unknown source in order to view the Web page content


Human behavior and security risks con t2

Human Behavior and Security - Risks (Con’t)

  • To improve security behavior, designers and developers of security systems can (West, 2008):

    • Include a means to reward pro-security behavior, i.e., notify them of unauthorized attempts to access files

    • Improve risk awareness using message alerts and sounds.

    • Catch security policy violators using auditing and monitoring techniques

    • Reduce the cost by making security systems easy to install, configure and use.


Module 2 human capability behavior and information security

Quiz

  • What are the common attitudes of users with regard to risks associated with computer?

  • Discuss how do users make decisions when they face security challenges?


Framework for studying user behavior in security

Framework for Studying User Behavior in Security

  • The Social-cognitive Theory can be used as a theoretical framework for

    • studying experiences related to security behavior and

    • identifying factors that influence user’s behavior

  • It is based on a reciprocal relationship between: behavior, cognition and environmental factors


Social cognitive theory

Social–Cognitive Theory

Figure: Social Cognitive Theory

(Source: http://www.des.emory.edu/mfp/eff.html)


Framework for studying user behavior con t

Framework for Studying User Behavior (con’t)

  • Applying the Theory:

    • The behavior of users of security systems depends on the individual’s cognitions and emotions by observing and exploiting the environment (e.g. other co-workers’ behavior).

    • It is expected that self-efficacy (belief to execute behavior to achieve an outcome) has strong influence with use of security systems


Framework for studying user behavior social cognitive theory

Framework for Studying User Behavior – Social-cognitive Theory

  • The Social-cognitive Theory also presents:

    • The possibility of learning from experience

    • And learning from the behavior of respected individuals like colleagues and leaders.

    • Finally, knowledge or information about security risks is expected to have impact on security related behavior of users.


Framework for studying user behavior social cognitive theory1

Framework for Studying User Behavior – Social-cognitive Theory

  • Therefore, to study experience and factors influencing user behavior, also study the personal characteristics of users, including

    • socio-demographic

    • attitudes

    • beliefs

    • values

    • experience

    • education

    • knowledge

    • and the environmental factors of users


Module 2 human capability behavior and information security

Quiz

  • What SCT?

  • How SCT can be used in studying the behavior of Security systems?


Takeaway slides summary

Takeaway Slides - Summary

  • Analysts, designers, programmers and system administrators of information security systems need to consider facts about

    • human capability and

    • human behavior during their activities.

  • Security threats can arise from human errors and cognitive limitations during the installation, configuration, use and maintenance of these computer and information security systems


Summary human capabilities

Summary - Human Capabilities

  • Investing too much mental effort by users in operating the computer equates to less efficiency and more errors.

  • People often fail to recognize security risks or the information provided to them.


Summary human capabilities1

Summary- Human Capabilities

  • Users are not always capable of performing the right decisions regarding security….

    • Security mechanisms such as encryption and authorization can be difficult for people to understand or use.

      (e.g. www.gaudior.net/alma/biblio.html)


Summary human capabilities factors

Summary -Human Capabilities Factors

  • Key factors are: sensors, attention, processor/information processing, memory, learning and mental models of users

    • Humans are multitasking, therefore, few tasks or decisions receive full attention at a given time.


Summary human capacity cognition model

Summary Human Capacity - Cognition Model

  • Human Cognition Model comprised of:

    • Senses, sensory store, short term memory, long-term memory and

    • processors.

  • Humans have limited capacity for information processing

  • Empirical model developed by Card, Moran and Newell in 1983 estimated various capabilities, decay times, etc..


  • Summary human capabilities2

    Summary -Human Capabilities

    • Security threats can arise from human errors and cognitive limitations during the:

      • installation

      • configuration

      • use and maintenance of computers and information security systems.


    Summary chunking

    Summary – Chunking

    • Chunking allows the brain to automatically group certain items together.

      • Human beings have a limited capacity of remembering up to seven pieces of independent information

        • These seven pieces of information are remembered with a single aspect and one exposure. Actually represents 7+/-2 “chunks,” or (7 plus or minus two pieces of information, or between 5 and 9 items)


    Summary human capability knowledge

    Summary -Human Capability Knowledge

    • Knowledge of human capability helps:

      • predict what users will remember, retain, understand and use.

      • in understanding how to retain new security related knowledge and information in user’s Long Term Memory.

      • In using “chunking” when presenting security information and codes such as, passwords, and access codes.


    Summary models

    Summary - Models

    • Designer and user mental models of security systems should match

    • Burden should be on the system designers to build user expectations into the system design.

    • Accurate Models lead to effective, efficient and satisfied customers….

    • Inaccurate mental models leads to errors.


    Summary human behavior and security

    Summary -Human Behavior and Security

    • Users

      • Are not good decision makers

      • Tend to take risks

      • Do not give full attention to security risks

      • Think security and safety are abstract concepts

      • Make quick decision without considering all of the risks, consequences and options.


    Summary human behavior and security1

    Summary -Human Behavior and Security

    • To Improve user security behavior, designers of security systems can:

      • Have a mechanism to reward pro-security behavior of users.

      • Improve the awareness of risk through training about risks, using message alerts and sounds with security systems that capture the attention of users.


    Summary human behavior and security2

    Summary -Human Behavior and Security

    • To Improve user security behavior, personnel in security systems can:

      • Catch corporate security policy violators using auditing and monitoring capabilities of security system and automatic notification of violators using via e-mail.

      • Reduce the cost of implementing security by making security systems easy to install, configure and use and/or by employing good secure default settings.


    Discussion topics

    Discussion Topics

    • Discuss the magic 7 number in the context of computer and information security.

    • Compare and contrast mental model, design model and system model.

    • Discuss why mental model is important to security systems.

    • Determine things Firewall Users Have to Learn


    References

    References

    1.Bahn, D. Social Learning Theory: its application in the context of nurse education. Nurse Education Today, 21 (2). 110-117.

    2.Benyon, D., Davies, G., Keller, L., Preece, J. and Rogers, Y. A Guide to Usability: Human Factors in Computing. Addison Wesley Publishing Company, Workingham, England, 1993.

    3.2004. Instructional System Design Concept Map. Accessed on January 13,2009, accessed from http://nwlink.com/~donclark/hrd/ahold/isd.html

    4.Sasse, A. and Flechais, I. Usable Security. in Cranor, L.F. and Garfinkel, S. eds. Security and Usability: Designing Secure Systems That People Can, O'Reilly Media, California, 2005.

    5.Schneier, B. The psychology of security. Commun. ACM, 50 (5), 128.

    6.Tversky, A. and Kahneman, D. Rational Choice and the Framing of Decisions. The Journal of Business, 59 (s4). S251.

    7.West, R. The psychology of security. Commun. ACM, 51 (4), 34-40.


  • Login