TY - GEN
T1 - Accounting for the human user in predictive security models
AU - Noureddine, Mohammad A.
AU - Marturano, Andrew
AU - Keefe, Ken
AU - Bashiry, Masooda
AU - Sanders, William H.
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/5/5
Y1 - 2017/5/5
N2 - Given the growing sophistication of cyber attacks, designing a perfectly secure system is not generally possible. Quantitative security metrics are thus needed to measure and compare the relative security of proposed security designs and policies. Since the investigation of security breaches has shown a strong impact of human errors, ignoring the human user in computing these metrics can lead to misleading results. Despite this, and although security researchers have long observed the impact of human behavior on system security, few improvements have been made in designing systems that are resilient to the uncertainties in how humans interact with a cyber system. In this work, we develop an approach for including models of user behavior, emanating from the fields of social sciences and psychology, in the modeling of systems intended to be secure. We then illustrate how one of these models, namely general deterrence theory, can be used to study the effectiveness of the password security requirements policy and the frequency of security audits in a typical organization. Finally, we discuss the many challenges that arise when adopting such a modeling approach, and then present our recommendations for future work.
AB - Given the growing sophistication of cyber attacks, designing a perfectly secure system is not generally possible. Quantitative security metrics are thus needed to measure and compare the relative security of proposed security designs and policies. Since the investigation of security breaches has shown a strong impact of human errors, ignoring the human user in computing these metrics can lead to misleading results. Despite this, and although security researchers have long observed the impact of human behavior on system security, few improvements have been made in designing systems that are resilient to the uncertainties in how humans interact with a cyber system. In this work, we develop an approach for including models of user behavior, emanating from the fields of social sciences and psychology, in the modeling of systems intended to be secure. We then illustrate how one of these models, namely general deterrence theory, can be used to study the effectiveness of the password security requirements policy and the frequency of security audits in a typical organization. Finally, we discuss the many challenges that arise when adopting such a modeling approach, and then present our recommendations for future work.
KW - Computer crime
KW - Computer security
KW - Computer simulation
KW - Human factors
KW - Modeling
UR - http://www.scopus.com/inward/record.url?scp=85019606698&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85019606698&partnerID=8YFLogxK
U2 - 10.1109/PRDC.2017.58
DO - 10.1109/PRDC.2017.58
M3 - Conference contribution
AN - SCOPUS:85019606698
T3 - Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC
SP - 329
EP - 338
BT - Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017
A2 - Kitakami, Masato
A2 - Kim, Dong Seong
A2 - Varadharajan, Vijay
PB - IEEE Computer Society
T2 - 22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017
Y2 - 22 January 2017 through 25 January 2017
ER -