Utilising human factors in the science of security - PowerPoint Presentation

Slide1

Utilising human factors in the science of security

Adam

Beautement

Department of Computer Science

University College London, UK

a.beautement@cs.ucl.ac.ukSlide2

Overview

Background

Limitations of common security outlooks

Compliance as a decision making process

Identifying drivers for non-compliance

Positively influencing the compliance decisionSlide3

Background

Research associate at UCL

ACE-CSR

RISC

Focused on optimising Information Security decision making

Individuals

Organisations

Current research takes a utility-based view of systems fully incorporating human factorsSlide4

Productive Security

A project motivated by the view that:

Security exists to serve the primary process, not as an end goal in its own right

Taking a Productive Security approach can at least improve productivity without compromising security, and possibly improve both at the same time

Security can act as a business enablerSlide5

The science of security

There is no current science of security

Security decisions are made by individuals, based on their own personal store of knowledge and experience

Data is in short supply

Organisations are reluctant to release breach reports

What is security relevant?Slide6

The System

Technology

Infrastructure

Secured by:

Technical Controls

Control of the environment

Processes

End Users

A wider range of interventions and approaches neededSlide7

Uninformed assumptions

Security managers assume that users:

Are an unlimited source of effort

Are motivated by security

Are lacking in education

And that educating them appropriately will change their behaviour

None of these are true!

Security systems based on these assumptions will failSlide8

Hypothesis

~10%

~10%

~80%

Staff who think they know better, or don’t care

Staff who know what they should do, but feel they can’t

Staff who don’t know policySlide9

Friction

Security is a process that sits alongside others

Business

Infrastructure

Social

Where security is designed without these in mind it creates frictionSlide10

Perceived individual cost

Effectiveness of Security policy

Compliance Threshold

Higher Spending Rate

Lower Spending Rate

The Compliance BudgetSlide11

Outcome of Positive

Compliance Decision

BENEFITS:

Protection From Responsibility

Protection From

Sanctions

COSTS:

Physical Load

Cognitive Load

Missed Opportunity

Embarrassment

Reduced Availability

‘Hassle Factor’

Outcome of Negative

Compliance DecisionSlide12

Productive Security Methodology

Assess the scale of the problem

Identify problem areas and drivers of behaviour

Prioritise interventions

Design (and deploy) interventions

Assess impacts and outcomes

1

5

2

3

4Slide13

In practise…

Scenario-based survey, based on interview analysis, that assesses responses to conflict situations

Semi-structured interviews with vertical cross section of the target organisation

Work with organisation to determine strategy and capability

Select optimal intervention, targeting appropriate socio-technical factor(s)

Develop and utilise metrics to measure change in security behaviour and levels of compliance

1

5

2

3

4Slide14

Empirical data gathering

Focused on identifying ways of managing non-compliance through:

Changing behaviour

Restructuring security systems/policy

Working with commercial partners118 semi-structured interviews with staff on (non)compliance, to identify areas and reasons

Online survey asking staff about security behaviour and attitudes

1256 valid completed survey

800+ free text responsesSlide15

Interview Results

High level of awareness of corporate policies

Every interviewee reported not complying with at least one policy

Hotspots include bypassing access control, not encrypting files, password sharing, tail-gaiting

Main drivers for non-compliance come from time and performance pressures:

Compliance impossible or inconveniently delays the primary task

Compliance perceived to be damaging to individual/business performance Slide16

Behavior and attitude survey

10 scenarios describing situations in which an employee is faced with a conflict between the business and security processes

Scenarios split between Behaviour and Attitude types

Each participant presented with 4 scenarios

c

lear company policy, but “no easy answers” – dilemma between business

and security

r

ange of non

-compliant options to

deal with dilemma

participants

ranked the

options in order of preference

rated severity of security issue created by non-compliance in each scenarioSlide17

Findings and recommendations

Interview/Scenario

Finding

Suggested

course of action

Employees aware of risks but still not compliant

The

problem is not one of knowledge – awareness training will not solve compliance issues so new approaches required

Statistically

significant cultural variation detected between US and UK populations

Interventions

need to be tailored to the target populations – more business focused in the US and more security focused in the UK

Passive disposition

toward security – breaches and workarounds not challenged

Provide

appropriate discrete channels for security feedback, whether complaints, problems or breach reportsMain security driver is common sense, not organisational communications/policy

Seek to increase the visibility of the organisational message, and engagement with employeesSlide18

What does ‘good’ look like?

Showing what problems exist does not necessarily allow goals to be set

Organisations are poor at describing what desirable security outcomes look like, especially with regards to security behaviour

Is it ever acceptable for employees to break policy?

We looked at existing models, particularly the CM process

m

aturity model and adapted themSlide19

Security Behaviour Maturity ModelSlide20

The Maturity Model

Actually expresses a relationship between the user and the policy

It is not just a checklist of desirable user attributes

Individuals with a strong internal security culture will exhibit different behaviours depending on the quality of the policy they are working under

Identifying these individuals improves organisational efficiency as effort is not wasted in trying to retrain themSlide21

The Knowing-Doing Gap

Alfawaz et al. identify that information can be unintentionally leaked when a gap exists between policy and behaviour

They describe a framework of behaviour

Not knowing, not doing (security novice)

Not knowing, doing (security savant)

Knowing, not doing (rule breaker)

Knowing, doing (optimal)Slide22

Interaction with maturity model

Overlaying these framework allows a behavioural diagnostic approach to be taken

‘Knowing, not doing’ can indicate:

A malicious insider

A worthwhile employee utilising workarounds due to a poor policy implementation

Elimination of the second category, through reducing policy friction, improves insider detectionSlide23

Key principles for mature security

Relationship of security to productive process

Awareness of security-relevant events

Detection and reporting of vulnerabilities

Action to manage vulnerabilities/risk

Action in case of human error

Action in case of breach

Maintenance and improvement over timeSlide24

Managing Non-Compliance

Compliance requires

ability

and

willingness

Can’t comply

Security asks that are impossible to complete.

Must remove as a matter of security hygiene

Could comply but won’t comply

Tasks that can be completed in theory, but require high level of effort and/or reduces productivity.

Re-design or SEAT

Can comply and does comply

Security tasks that are routinely completed.

Provide initial baseline. Slide25

Improving decision making

The natural limitations of the user must be recognised, as well as their goals

Security interventions must be tailored and targeted – one sized fits none

The primary process of the business must be understood, and served

This will be the major motivating force of the user’s actions

The organisation has as much responsibility to change as the user

Policies (e.g. health and safety, recycling, security) must be unified not stove pipedSlide26

Questions?