1 / 26

Utilising human factors in the science of security

Utilising human factors in the science of security. Adam Beautement Department of Computer Science University College London, UK a.beautement@cs.ucl.ac.uk. Overview. Background Limitations of common security outlooks Compliance as a decision making process

yasuo
Download Presentation

Utilising human factors in the science of security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Utilising human factors in the science of security Adam Beautement Department of Computer Science University College London, UK a.beautement@cs.ucl.ac.uk

  2. Overview • Background • Limitations of common security outlooks • Compliance as a decision making process • Identifying drivers for non-compliance • Positively influencing the compliance decision

  3. Background • Research associate at UCL • ACE-CSR • RISC • Focused on optimising Information Security decision making • Individuals • Organisations • Current research takes a utility-based view of systems fully incorporating human factors

  4. Productive Security • A project motivated by the view that: • Security exists to serve the primary process, not as an end goal in its own right • Taking a Productive Security approach can at least improve productivity without compromising security, and possibly improve both at the same time • Security can act as a business enabler

  5. The science of security • There is no current science of security • Security decisions are made by individuals, based on their own personal store of knowledge and experience • Data is in short supply • Organisations are reluctant to release breach reports • What is security relevant?

  6. The System Technology • Secured by: • Technical Controls • Control of the environment Infrastructure Processes A wider range of interventions and approaches needed End Users

  7. Uninformed assumptions • Security managers assume that users: • Are an unlimited source of effort • Are motivated by security • Are lacking in education • And that educating them appropriately will change their behaviour • None of these are true! • Security systems based on these assumptions will fail

  8. Hypothesis ~10% Staff who think they know better, or don’t care ~80% Staff who know what they should do, but feel they can’t Staff who don’t know policy ~10%

  9. Friction • Security is a process that sits alongside others • Business • Infrastructure • Social • Where security is designed without these in mind it creates friction

  10. The Compliance Budget Compliance Threshold Higher Spending Rate Lower Spending Rate Effectiveness of Security policy Perceived individual cost

  11. Outcome of Negative Compliance Decision Outcome of Positive Compliance Decision COSTS: Physical Load Cognitive Load Missed Opportunity Embarrassment Reduced Availability ‘Hassle Factor’ BENEFITS: Protection From Responsibility Protection From Sanctions

  12. Productive Security Methodology 1 Identify problem areas and drivers of behaviour 2 Assess the scale of the problem 3 Prioritise interventions 4 Design (and deploy) interventions 5 Assess impacts and outcomes

  13. In practise… 1 Semi-structured interviews with vertical cross section of the target organisation 2 Scenario-based survey, based on interview analysis, that assesses responses to conflict situations 3 Work with organisation to determine strategy and capability 4 Select optimal intervention, targeting appropriate socio-technical factor(s) 5 Develop and utilise metrics to measure change in security behaviour and levels of compliance

  14. Empirical data gathering • Focused on identifying ways of managing non-compliance through: • Changing behaviour • Restructuring security systems/policy • Working with commercial partners118 semi-structured interviews with staff on (non)compliance, to identify areas and reasons • Online survey asking staff about security behaviour and attitudes • 1256 valid completed survey • 800+ free text responses

  15. Interview Results • High level of awareness of corporate policies • Every interviewee reported not complying with at least one policy • Hotspots include bypassing access control, not encrypting files, password sharing, tail-gaiting • Main drivers for non-compliance come from time and performance pressures: • Compliance impossible or inconveniently delays the primary task • Compliance perceived to be damaging to individual/business performance

  16. Behavior and attitude survey • 10 scenarios describing situations in which an employee is faced with a conflict between the business and security processes • Scenarios split between Behaviour and Attitude types • Each participant presented with 4 scenarios • clear company policy, but “no easy answers” – dilemma between business and security • range of non-compliant options to deal with dilemma • participants ranked the options in order of preference • rated severity of security issue created by non-compliance in each scenario

  17. Findings and recommendations

  18. What does ‘good’ look like? • Showing what problems exist does not necessarily allow goals to be set • Organisations are poor at describing what desirable security outcomes look like, especially with regards to security behaviour • Is it ever acceptable for employees to break policy? • We looked at existing models, particularly the CM process maturity model and adapted them

  19. Security Behaviour Maturity Model

  20. The Maturity Model • Actually expresses a relationship between the user and the policy • It is not just a checklist of desirable user attributes • Individuals with a strong internal security culture will exhibit different behaviours depending on the quality of the policy they are working under • Identifying these individuals improves organisational efficiency as effort is not wasted in trying to retrain them

  21. The Knowing-Doing Gap • Alfawaz et al. identify that information can be unintentionally leaked when a gap exists between policy and behaviour • They describe a framework of behaviour • Not knowing, not doing (security novice) • Not knowing, doing (security savant) • Knowing, not doing (rule breaker) • Knowing, doing (optimal)

  22. Interaction with maturity model • Overlaying these framework allows a behavioural diagnostic approach to be taken • ‘Knowing, not doing’ can indicate: • A malicious insider • A worthwhile employee utilising workarounds due to a poor policy implementation • Elimination of the second category, through reducing policy friction, improves insider detection

  23. Key principles for mature security • Relationship of security to productive process • Awareness of security-relevant events • Detection and reporting of vulnerabilities • Action to manage vulnerabilities/risk • Action in case of human error • Action in case of breach • Maintenance and improvement over time

  24. Managing Non-Compliance • Compliance requires ability and willingness Can’t comply Security asks that are impossible to complete. Must remove as a matter of security hygiene Could comply but won’t comply Tasks that can be completed in theory, but require high level of effort and/or reduces productivity. Re-design or SEAT Can comply and does comply Security tasks that are routinely completed. Provide initial baseline.

  25. Improving decision making • The natural limitations of the user must be recognised, as well as their goals • Security interventions must be tailored and targeted – one sized fits none • The primary process of the business must be understood, and served • This will be the major motivating force of the user’s actions • The organisation has as much responsibility to change as the user • Policies (e.g. health and safety, recycling, security) must be unified not stove piped

  26. Questions?

More Related