Human Vulnerabilities in Security Systems

1
Cyber Security

• Human Vulnerabilities in Security Systems

2
Human Vulnerabilities in Security Systems

• Authors
• M. Angela Sasse (UCL) Chair
• Debi Ashenden (Cranfield)
• Darren Lawrence (Cranfield)
• Lizzie Coles-Kemp (RHUL)
• Ivan Fléchais (Oxford)
• Paul Kearney (BT)
• Contributors
• HP, Perpetuity, QinetiQ, TechnologyStrategy,
  Vodaphone
• Southampton University, Bath University,
• Loughborough University

3
Overview

• Purpose of the White Paper
• Understand the problem of human vulnerabilities
• Identify available measures to address the
  problem space
• Assess the effectiveness of such measures
• Identify remaining challenges and promising areas
  for future research
• Intended audience
• Anyone with responsibility for securing
  information assets!

4
Setting the Scene The organisational context

• Security is more than just locks and keys and
  must relate to the social grouping and behaviour
  (Dhillon Backhouse)
• Success of InfoSec Managers depends on power
  plays
• (Ezingeard et al)
• hackers pay more attention to the human link in
  the security chain than security designers do
  (Adams Sasse)

5
What are Human Vulnerabilities?

• Definition
• human characteristics and behaviour that
  create, contribute to the exploitation of, or
  exploit a system vulnerability
• Includes
• Unintentional and malicious behaviour
• Systemic failures caused by errors in design and
  management
• Behaviour that could lead to a breach
  (irrespective of whether it does)
• Desirable behaviour that could lead to a breach

6
The Problem Space

• Technology
• Extensive use of ICT, coupled with speed of
  change
• Leading to a knowledge and skills gap
• Globalisation, outsourcing and offshoring
• Leading to deperimeterisation
• Business Processes
• Technology implemented with insufficient
  consideration of impact on users
• Leading to a high workload, complexity and
  bypassing of security mechanisms
• People
• Flatter organisations and flexible knowledge
  workers
• Traditional command and control approach
  doesnt fit
• Changing trust relationships within organisations
• Leading to a lack of user understanding and
  motivation

7
Managing Risk

• Information Security Management Systems
• Systemic approach to setting security objectives
  and managing risk
• Integrating security with the business
• Supported by Policies
• Policies
• Communication tool
• Should be a two-way process with user
• Incident Reporting
• Continuous feedback
• Opportunities for learning

8
Trust

• Trusting the end user to behave securely
• Making the best use of resources
• Different trust relationships to consider
• Trust between a human and the technical
  infrastructure
• Trust between humans, especially where the
  relationship is mediated by technology
• Trust between a human and the organisation within
  which he or she functions

9
Design

• Participative approach to security analysis and
  design
• Stakeholders are given tools and know-how to
  better understand security and communicate their
  security needs
• Taking account of the business context
• Overheads balanced against effectiveness and
  usefulness
• Security should add value
• Integration of security into tasks and business
  processes
• Designing for prevention of errors
• Borrowing from criminology research

10
Awareness, Education and Training

• Awareness
• Raising interest and attention
• Increasing motivation by offering users advice
  relevant to home environment
• Education
• Equipping users to deal with uncertainty and
  complexity in security decision-making
• Training
• Breaking old habits and establishing new ones
• Based in the work context
• Addressing specific security needs

11
Managing Organisational Behaviour

• Human behaviour in the workplace
• Areas of commonality
• Productivity, job satisfaction, staff turnover,
  absenteeism
• Collaboration with HR
• Gap between formal security policies and
  procedures and actual behaviours needed
• Organisational Citizenship Behaviour (OCB)
• Managed through psychological contracts
• Based on concordance (rather than command and
  control)

12
Future Work

• Creating cultural change
• Creating consent
• Persuasive technologies
• Distributed security management
• Opportunity reduction
• Balancing vetting/monitoring against
  privacy/trust
• Design (tools and toolkits)
• Risk assessment and communication
• Modelling a human-technical system for security
  decision making

13
Conclusions

• The White Paper provides an overview of the
  problem space and an indication of what can be
  done now
• Much of this will already be familiar to the
  cyber security community
• Some organisations are already exploring these
  issues
• Few are addressing the issue of human
  vulnerabilities in depth
• There is a great deal to be learned from research
  already carried out in other fields (psychology,
  sociology, management research)
• Addressing human vulnerabilities is a complex
  issue
• There is no silver bullet
• For those who wish to consider the issues in
  greater depth there will be an extended version
  of the White Paper available
• Critiquing existing research and measures in
  greater detail
• Bibliography of relevant literature