Adam Beautement Department of Computer Science University College London UK abeautementcsuclacuk Overview Background Limitations of common security outlooks Compliance as a decision making process ID: 616012
Download Presentation The PPT/PDF document "Utilising human factors in the science o..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Utilising human factors in the science of security
Adam
Beautement
Department of Computer Science
University College London, UK
a.beautement@cs.ucl.ac.ukSlide2
Overview
Background
Limitations of common security outlooks
Compliance as a decision making process
Identifying drivers for non-compliance
Positively influencing the compliance decisionSlide3
Background
Research associate at UCL
ACE-CSR
RISC
Focused on optimising Information Security decision making
Individuals
Organisations
Current research takes a utility-based view of systems fully incorporating human factorsSlide4
Productive Security
A project motivated by the view that:
Security exists to serve the primary process, not as an end goal in its own right
Taking a Productive Security approach can at least improve productivity without compromising security, and possibly improve both at the same time
Security can act as a business enablerSlide5
The science of security
There is no current science of security
Security decisions are made by individuals, based on their own personal store of knowledge and experience
Data is in short supply
Organisations are reluctant to release breach reports
What is security relevant?Slide6
The System
Technology
Infrastructure
Secured by:
Technical Controls
Control of the environment
Processes
End Users
A wider range of interventions and approaches neededSlide7
Uninformed assumptions
Security managers assume that users:
Are an unlimited source of effort
Are motivated by security
Are lacking in education
And that educating them appropriately will change their behaviour
None of these are true!
Security systems based on these assumptions will failSlide8
Hypothesis
~10%
~10%
~80%
Staff who think they know better, or don’t care
Staff who know what they should do, but feel they can’t
Staff who don’t know policySlide9
Friction
Security is a process that sits alongside others
Business
Infrastructure
Social
Where security is designed without these in mind it creates frictionSlide10
Perceived individual cost
Effectiveness of Security policy
Compliance Threshold
Higher Spending Rate
Lower Spending Rate
The Compliance BudgetSlide11
Outcome of Positive
Compliance Decision
BENEFITS:
Protection From Responsibility
Protection From
Sanctions
COSTS:
Physical Load
Cognitive Load
Missed Opportunity
Embarrassment
Reduced Availability
‘Hassle Factor’
Outcome of Negative
Compliance DecisionSlide12
Productive Security Methodology
Assess the scale of the problem
Identify problem areas and drivers of behaviour
Prioritise interventions
Design (and deploy) interventions
Assess impacts and outcomes
1
5
2
3
4Slide13
In practise…
Scenario-based survey, based on interview analysis, that assesses responses to conflict situations
Semi-structured interviews with vertical cross section of the target organisation
Work with organisation to determine strategy and capability
Select optimal intervention, targeting appropriate socio-technical factor(s)
Develop and utilise metrics to measure change in security behaviour and levels of compliance
1
5
2
3
4Slide14
Empirical data gathering
Focused on identifying ways of managing non-compliance through:
Changing behaviour
Restructuring security systems/policy
Working with commercial partners118 semi-structured interviews with staff on (non)compliance, to identify areas and reasons
Online survey asking staff about security behaviour and attitudes
1256 valid completed survey
800+ free text responsesSlide15
Interview Results
High level of awareness of corporate policies
Every interviewee reported not complying with at least one policy
Hotspots include bypassing access control, not encrypting files, password sharing, tail-gaiting
Main drivers for non-compliance come from time and performance pressures:
Compliance impossible or inconveniently delays the primary task
Compliance perceived to be damaging to individual/business performance Slide16
Behavior and attitude survey
10 scenarios describing situations in which an employee is faced with a conflict between the business and security processes
Scenarios split between Behaviour and Attitude types
Each participant presented with 4 scenarios
c
lear company policy, but “no easy answers” – dilemma between business
and security
r
ange of non
-compliant options to
deal with dilemma
participants
ranked the
options in order of preference
rated severity of security issue created by non-compliance in each scenarioSlide17
Findings and recommendations
Interview/Scenario
Finding
Suggested
course of action
Employees aware of risks but still not compliant
The
problem is not one of knowledge – awareness training will not solve compliance issues so new approaches required
Statistically
significant cultural variation detected between US and UK populations
Interventions
need to be tailored to the target populations – more business focused in the US and more security focused in the UK
Passive disposition
toward security – breaches and workarounds not challenged
Provide
appropriate discrete channels for security feedback, whether complaints, problems or breach reportsMain security driver is common sense, not organisational communications/policy
Seek to increase the visibility of the organisational message, and engagement with employeesSlide18
What does ‘good’ look like?
Showing what problems exist does not necessarily allow goals to be set
Organisations are poor at describing what desirable security outcomes look like, especially with regards to security behaviour
Is it ever acceptable for employees to break policy?
We looked at existing models, particularly the CM process
m
aturity model and adapted themSlide19
Security Behaviour Maturity ModelSlide20
The Maturity Model
Actually expresses a relationship between the user and the policy
It is not just a checklist of desirable user attributes
Individuals with a strong internal security culture will exhibit different behaviours depending on the quality of the policy they are working under
Identifying these individuals improves organisational efficiency as effort is not wasted in trying to retrain themSlide21
The Knowing-Doing Gap
Alfawaz et al. identify that information can be unintentionally leaked when a gap exists between policy and behaviour
They describe a framework of behaviour
Not knowing, not doing (security novice)
Not knowing, doing (security savant)
Knowing, not doing (rule breaker)
Knowing, doing (optimal)Slide22
Interaction with maturity model
Overlaying these framework allows a behavioural diagnostic approach to be taken
‘Knowing, not doing’ can indicate:
A malicious insider
A worthwhile employee utilising workarounds due to a poor policy implementation
Elimination of the second category, through reducing policy friction, improves insider detectionSlide23
Key principles for mature security
Relationship of security to productive process
Awareness of security-relevant events
Detection and reporting of vulnerabilities
Action to manage vulnerabilities/risk
Action in case of human error
Action in case of breach
Maintenance and improvement over timeSlide24
Managing Non-Compliance
Compliance requires
ability
and
willingness
Can’t comply
Security asks that are impossible to complete.
Must remove as a matter of security hygiene
Could comply but won’t comply
Tasks that can be completed in theory, but require high level of effort and/or reduces productivity.
Re-design or SEAT
Can comply and does comply
Security tasks that are routinely completed.
Provide initial baseline. Slide25
Improving decision making
The natural limitations of the user must be recognised, as well as their goals
Security interventions must be tailored and targeted – one sized fits none
The primary process of the business must be understood, and served
This will be the major motivating force of the user’s actions
The organisation has as much responsibility to change as the user
Policies (e.g. health and safety, recycling, security) must be unified not stove pipedSlide26
Questions?