utilising human factors in the science of security adam beautement department of computer science...
TRANSCRIPT
Utilising human factors in the
science of security
Adam BeautementDepartment of Computer Science
University College London, [email protected]
Overview
• Background• Limitations of common security
outlooks• Compliance as a decision making
process• Identifying drivers for non-
compliance• Positively influencing the compliance
decision
Background• Research associate at UCL– ACE-CSR– RISC
• Focused on optimising Information Security decision making– Individuals– Organisations
• Current research takes a utility-based view of systems fully incorporating human factors
Productive Security
• A project motivated by the view that:– Security exists to serve the primary
process, not as an end goal in its own right
– Taking a Productive Security approach can at least improve productivity without compromising security, and possibly improve both at the same time
– Security can act as a business enabler
The science of security
• There is no current science of security
• Security decisions are made by individuals, based on their own personal store of knowledge and experience
• Data is in short supply– Organisations are reluctant to release
breach reports–What is security relevant?
The System
Technology
Infrastructure
Secured by:- Technical Controls- Control of the
environment
Processes
End Users
A wider range of interventions and approaches needed
Uninformed assumptions
• Security managers assume that users:– Are an unlimited source of effort– Are motivated by security– Are lacking in education• And that educating them appropriately will
change their behaviour
• None of these are true!• Security systems based on these
assumptions will fail
Hypothesis~10%
~10%
~80%
Staff who think they know better, or don’t care
Staff who know what they should do, but feel they can’t
Staff who don’t know policy
Friction
• Security is a process that sits alongside others– Business– Infrastructure– Social
• Where security is designed without these in mind it creates friction
Perceived individual cost
Eff
ect
iven
ess
of
Secu
rity
poli
cy Compliance ThresholdHigher Spending RateLower Spending Rate
The Compliance Budget
Outcome of PositiveCompliance Decision
BENEFITS:Protection From Responsibility
Protection FromSanctions
COSTS:Physical Load
Cognitive LoadMissed Opportunity
EmbarrassmentReduced
Availability‘Hassle Factor’
Outcome of NegativeCompliance Decision
Productive Security Methodology
Assess the scale of the problem
Identify problem areas and drivers of behaviour
Prioritise interventions
Design (and deploy) interventions
Assess impacts and outcomes
1
5
2
3
4
In practise…
Scenario-based survey, based on interview analysis, that assesses responses to conflict situations
Semi-structured interviews with vertical cross section of the target organisation
Work with organisation to determine strategy and capability
Select optimal intervention, targeting appropriate socio-technical factor(s)
Develop and utilise metrics to measure change in security behaviour and levels of compliance
1
5
2
3
4
Empirical data gathering• Focused on identifying ways of managing
non-compliance through:– Changing behaviour– Restructuring security systems/policy
• Working with commercial partners118 semi-structured interviews with staff on (non)compliance, to identify areas and reasons
• Online survey asking staff about security behaviour and attitudes– 1256 valid completed survey– 800+ free text responses
Interview Results
• High level of awareness of corporate policies• Every interviewee reported not complying
with at least one policy– Hotspots include bypassing access control, not
encrypting files, password sharing, tail-gaiting
• Main drivers for non-compliance come from time and performance pressures:– Compliance impossible or inconveniently delays
the primary task– Compliance perceived to be damaging to
individual/business performance
Behavior and attitude survey
• 10 scenarios describing situations in which an employee is faced with a conflict between the business and security processes
• Scenarios split between Behaviour and Attitude types
• Each participant presented with 4 scenarios – clear company policy, but “no easy answers” –
dilemma between business and security – range of non-compliant options to deal with dilemma– participants ranked the options in order of preference– rated severity of security issue created by non-
compliance in each scenario
Findings and recommendations
Interview/Scenario Finding Suggested course of action
Employees aware of risks but still not compliant
The problem is not one of knowledge – awareness training will not solve compliance issues so new approaches required
Statistically significant cultural variation detected between US and UK populations
Interventions need to be tailored to the target populations – more business focused in the US and more security focused in the UK
Passive disposition toward security – breaches and workarounds not challenged
Provide appropriate discrete channels for security feedback, whether complaints, problems or breach reports
Main security driver is common sense, not organisational communications/policy
Seek to increase the visibility of the organisational message, and engagement with employees
What does ‘good’ look like?
• Showing what problems exist does not necessarily allow goals to be set
• Organisations are poor at describing what desirable security outcomes look like, especially with regards to security behaviour– Is it ever acceptable for employees to break
policy?
• We looked at existing models, particularly the CM process maturity model and adapted them
Security Behaviour Maturity Model
The Maturity Model• Actually expresses a relationship
between the user and the policy– It is not just a checklist of desirable user
attributes
• Individuals with a strong internal security culture will exhibit different behaviours depending on the quality of the policy they are working under
• Identifying these individuals improves organisational efficiency as effort is not wasted in trying to retrain them
The Knowing-Doing Gap
• Alfawaz et al. identify that information can be unintentionally leaked when a gap exists between policy and behaviour
• They describe a framework of behaviour–Not knowing, not doing (security
novice)–Not knowing, doing (security savant)– Knowing, not doing (rule breaker)– Knowing, doing (optimal)
Interaction with maturity model• Overlaying these framework allows a
behavioural diagnostic approach to be taken
• ‘Knowing, not doing’ can indicate:– A malicious insider– A worthwhile employee utilising
workarounds due to a poor policy implementation
• Elimination of the second category, through reducing policy friction, improves insider detection
Key principles for mature security
• Relationship of security to productive process
• Awareness of security-relevant events• Detection and reporting of vulnerabilities• Action to manage vulnerabilities/risk• Action in case of human error• Action in case of breach• Maintenance and improvement over time
Managing Non-Compliance• Compliance requires ability and
willingness Can’t complySecurity asks that are impossible to complete. Must remove as a matter of security hygieneCould comply but won’t complyTasks that can be completed in theory, but require high level of effort and/or reduces productivity.Re-design or SEAT
Can comply and does complySecurity tasks that are routinely completed.Provide initial baseline.
Improving decision making• The natural limitations of the user must be
recognised, as well as their goals– Security interventions must be tailored and
targeted – one sized fits none
• The primary process of the business must be understood, and served– This will be the major motivating force of the
user’s actions
• The organisation has as much responsibility to change as the user– Policies (e.g. health and safety, recycling,
security) must be unified not stove piped
Questions?