1 / 57

Module 2 Human Capability, Behavior and Information Security

Module 2 Human Capability, Behavior and Information Security. Azene Zenebe, Ph.D., and Lola Staples, M.Sc. Management of Information Systems Department Center for Business and Graduate Studies, Room 3330 14000 Jericho Park Road, Bowie, MD 20715 . Presentation Outline. Overview

kueng
Download Presentation

Module 2 Human Capability, Behavior and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 2Human Capability, Behavior and Information Security Azene Zenebe, Ph.D., and Lola Staples, M.Sc. Management of Information Systems Department Center for Business and Graduate Studies, Room 3330 14000 Jericho Park Road, Bowie, MD 20715 Human Cability, Behavior and Information Security

  2. Presentation Outline • Overview • Introduction • Human Capability and Security • Factors for Human Capability • Models in Human Computer Interaction (HCI) • Importance to Usability of Security Systems • Human Behavior and Security • Summary • Discussion Questions

  3. Overview • Users are not always capable of performing the right decisions regarding security. • If users have to invest too much mental effort in working out how to operate security systems, they will be less efficient and make more errors. • Human – security system interaction is a cognitive activity.

  4. Objectives When you complete this module, you will be able to: • Describe human capability • Discuss factors that determine human capability • Describe the relationship between usability of security systems and human capability • Discuss human behavior in security systems • Determine factors affecting human behaviors in security systems • Conduct a study of user behaviors in a security system

  5. Introduction • Users interact with computer and information security systems differently and have different behavior. • The purpose of this module is to provide definitions, background and theoretical framework for human capability and behavior in relationship to the usability of computer and information security systems.

  6. Human Capability and Security • Humans carry out tasks in which information is created, accessed and/or manipulated. • The more complicated the interaction with the computer systems the more frustrated users become and the more distracted they are from their real tasks. • Users are not always capable of performing the right decisions regarding security.

  7. Human Capability and Security • Several studies indicated that: • The mechanism for encryption, authorization or authentication can be difficult for people to understand or use. • People often fail to recognize security risks or the information provided to alert them. • Computer interaction is a cognitive activity that involves processing of information in the mind

  8. Human Capability and Security - What is Cognition? • What is cognition? • Cognition is the process of recognizing, interpreting, judging and reasoning • Cognition involves high level intellectual functions carried out by the human brain including: • planning • problem-solving • self-monitoring

  9. Factors for Human Capacity • Key factors that effect the way users interact with computer systems are: • Our sensors • attention • memory (sensory, short term and long term) • learning and • mental models • Putting all these factors together leads to the Human Information Processing Model

  10. Factors - Sensors • Perception – The process of seeing an active process: • mainly visual environmental information • can be previously stored knowledge • provides a more constant view of the world • highly related to user interface with security systems • should be legible • distinguishable • comprehensible • uncluttered and meaningfully structured

  11. Factors – Attention • Attention - Our capability to attend mass of information at one time. • We can see, hear, and smell at one time. • We are multi-tasking • Hence few tasks or decisions receive our full attention at any given time

  12. Factors - Memory • Memory - Our ability to store and remember. • There are three main types: • sensory memory (SM) • short term memory (STM) • long-term memory (LTM)

  13. Factors - Sensory-Memory (SM) • SM retains an exact copy of what is seen, heard or touched • mainly visual and auditory • SM lasts only a few seconds or • approximately to 300 milliseconds • has unlimited capacity 

  14. Factors-Short Term Memory(STM) • Clark (2004) states that the selective attention determines what information moves from sensory memory to short-term memory. • STM works like RAM memory • STM provides a working space and is vulnerable to interruption or interference

  15. Factors - STM • STM has the ability to retain a limited capacity of up to 7 pieces of independent information with a single aspect, i.e., actually, 7 +/- 2 “chunks.” • 7 is called the Millers Magic Number • Duration of these items last from 3 to 20 seconds

  16. Factors - STM: “Chunking” • “Chunking” allows the brain to automatically group certain items together, e.g., a telephone number. • We remember phone numbers by their aspects of 2 or more groupings. • We don't really remember "seven" numbers

  17. Factors - Long Term Memory (LTM) • LTM defined by Clark as relatively permanent storage… • information is stored by meaning and importance. • Information can be stored for extended periods of time • capacity limits are unknown • Information moves from STM to LTM

  18. Factors - Long Term Memory • Information moves from STM to LTM by • rehearsal • practice …and • use in context. • “LTM stores interrelated networks of mental models of the world that form intricate knowledge structures.”

  19. Factors - Long Term Memory (Con’t) • According to Clark (2004): • LTM has a strong influence on perception through top-down processing… • Our prior knowledge affects how we perceive sensory information… • Our expectations regarding a particular sensory experience influence how we interpret it….this is how we develop bias.

  20. Factors - Learning • Learning is acquiring new knowledge, behaviors, skills, values, preferences or understanding, and may involve synthesizing different types of information. • The ability to learn is possessed by humans,animals and some machines

  21. Factors - Mental Model (MM) • MM is a set of beliefs about how a system works. • Users interact with systems based on their MM. • Some properties of MM: • Enable users to understand the working of a security system. • Can be built-on-the-fly from knowledge of prior system experience, training, and interaction • Is unstable and subject to change • Contains minimal information

  22. Factors -Human Processors (HP) • HP in information processing Involves: • Encoding the information into some form of internal representation • This is related to perception • Comparing this representation with previously stored representations in the brain • this is related to attention and memory • Deciding on appropriate responses; and • Organizing a response and necessary action

  23. The Information Processing Model Humans have a limited capacity for processing information due to the nature of our memory, processors and sensors such as sight, touch and hearing. Figure: The Information Processing Model (Clark, 2004)

  24. Models of Human Performance Models of Human Performance • A simple model of human cognition is empirically developed by Card, Moran, Newell in 1983. • The components are Senses, Sensory store, Short-term memory, Long-term memory, and processors. • Processors cycle time of 50-200ms • Memories have type, capacity and decay time • See Figure for the Model Summary

  25. Human Performance – Summary

  26. Importance to Usability of Security Systems • Knowledge of human capability helps: • Predict what users will remember, retain, understand and use. • Plan on how to make new security related knowledge and information retained in user’s Long Term Memory during training. • Use chunking in presentation of security information and codes such as passwords, access codes, etc. to users.

  27. Amount of Human Effort Required – Examples PKI • Things PKI end-users have to learn(Sasse, 2006): • How to create keys • How to import a trust anchor • How to import a certificate • How to protect your private keys • How to apply for a certificate in your environment

  28. Amount of Human Effort and Security – Examples PKI (Con't) • Things PKI end-users have to learn(Sasse, 2006): • How to turn on digital signing • How to install someone’s public key in the address book • How to get someone’s public key • How to export a certificate

  29. Models in Human Computer Interaction (HCI) • Designer’s Model: The way the designer represents the application • Programmer’s Model: The actual way that a system works from a programmer’s perspective. • User’s Mental Model • The way that the user perceives how the systems works. • User model: incorporates the cognitive and performance characteristics of a user

  30. Interaction-Design Model Designer’s Model, User’s Mental Model and System images Source www.interact-design.org/images/figures/mental_models.gif Human Cability, Behavior and Information Security

  31. Importance of Mental Models to Usability • For Learning & retaining systems’ operations • Correct mental models => more usable => users are effective, efficient, and satisfied • An inaccurate mental model of what is happening in a system leads to errors. • Ideally,interface and system shall be consistent with our natural mental models about computers, environment and everyday objects.

  32. Quick Quiz • Why do we have difficulty in remembering some of our passwords? • Where do humans store passwords and how do we recall them? • Explain the role of STM, LTM, and Chunking while using simple and complex passwords. • What are the different tasks to be completed to use a firewall a) by end-user, b) by system administrator? • Compare and contrast user model, mental model, designer’s model and programmer model.

  33. Human Behavior and Security –Risks • People exaggerate risks that are (Bruce Schneier, 2007 ) : • Rare • Personified • Beyond their control • Intentional or man-made • Immediate • Rapidly occurring

  34. Human Behavior and Security – Risks (Con’t) • Users minimize their risk and tend to: • Not think they are at risk • Not give security their full attention • Instead focus on their goals, such as completing a task….e.g., completing their on-line payments, reading e-mail with attached file • Think of security and safety as abstract concepts resulting in quick decisions without considering all the risks, consequences and options

  35. Human Behavior and Security – Risks (Con’t) • Examples of risky behavior: • Opening a file with attachment from unknown sources where a user does have a great interest in the content of the file from its subject heading • Download and installation of an ActiveX control from an unknown source in order to view the Web page content

  36. Human Behavior and Security - Risks (Con’t) • To improve security behavior, designers and developers of security systems can (West, 2008): • Include a means to reward pro-security behavior, i.e., notify them of unauthorized attempts to access files • Improve risk awareness using message alerts and sounds. • Catch security policy violators using auditing and monitoring techniques • Reduce the cost by making security systems easy to install, configure and use.

  37. Quiz • What are the common attitudes of users with regard to risks associated with computer? • Discuss how do users make decisions when they face security challenges?

  38. Framework for Studying User Behavior in Security • The Social-cognitive Theory can be used as a theoretical framework for • studying experiences related to security behavior and • identifying factors that influence user’s behavior • It is based on a reciprocal relationship between: behavior, cognition and environmental factors

  39. Social–Cognitive Theory Figure: Social Cognitive Theory (Source: http://www.des.emory.edu/mfp/eff.html)

  40. Framework for Studying User Behavior (con’t) • Applying the Theory: • The behavior of users of security systems depends on the individual’s cognitions and emotions by observing and exploiting the environment (e.g. other co-workers’ behavior). • It is expected that self-efficacy (belief to execute behavior to achieve an outcome) has strong influence with use of security systems

  41. Framework for Studying User Behavior – Social-cognitive Theory • The Social-cognitive Theory also presents: • The possibility of learning from experience • And learning from the behavior of respected individuals like colleagues and leaders. • Finally, knowledge or information about security risks is expected to have impact on security related behavior of users.

  42. Framework for Studying User Behavior – Social-cognitive Theory • Therefore, to study experience and factors influencing user behavior, also study the personal characteristics of users, including • socio-demographic • attitudes • beliefs • values • experience • education • knowledge • and the environmental factors of users

  43. Quiz • What SCT? • How SCT can be used in studying the behavior of Security systems?

  44. Takeaway Slides - Summary • Analysts, designers, programmers and system administrators of information security systems need to consider facts about • human capability and • human behavior during their activities. • Security threats can arise from human errors and cognitive limitations during the installation, configuration, use and maintenance of these computer and information security systems

  45. Summary - Human Capabilities • Investing too much mental effort by users in operating the computer equates to less efficiency and more errors. • People often fail to recognize security risks or the information provided to them.

  46. Summary- Human Capabilities • Users are not always capable of performing the right decisions regarding security…. • Security mechanisms such as encryption and authorization can be difficult for people to understand or use. (e.g. www.gaudior.net/alma/biblio.html)

  47. Summary -Human Capabilities Factors • Key factors are: sensors, attention, processor/information processing, memory, learning and mental models of users • Humans are multitasking, therefore, few tasks or decisions receive full attention at a given time.

  48. Summary Human Capacity - Cognition Model • Human Cognition Model comprised of: • Senses, sensory store, short term memory, long-term memory and • processors. • Humans have limited capacity for information processing • Empirical model developed by Card, Moran and Newell in 1983 estimated various capabilities, decay times, etc..

  49. Summary -Human Capabilities • Security threats can arise from human errors and cognitive limitations during the: • installation • configuration • use and maintenance of computers and information security systems.

  50. Summary – Chunking • Chunking allows the brain to automatically group certain items together. • Human beings have a limited capacity of remembering up to seven pieces of independent information • These seven pieces of information are remembered with a single aspect and one exposure. Actually represents 7+/-2 “chunks,” or (7 plus or minus two pieces of information, or between 5 and 9 items)

More Related