Accounting for the human user in predictive security models

Mohammad A. Noureddine, Andrew Marturano, Ken Keefe, Masooda Bashiry, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Given the growing sophistication of cyber attacks, designing a perfectly secure system is not generally possible. Quantitative security metrics are thus needed to measure and compare the relative security of proposed security designs and policies. Since the investigation of security breaches has shown a strong impact of human errors, ignoring the human user in computing these metrics can lead to misleading results. Despite this, and although security researchers have long observed the impact of human behavior on system security, few improvements have been made in designing systems that are resilient to the uncertainties in how humans interact with a cyber system. In this work, we develop an approach for including models of user behavior, emanating from the fields of social sciences and psychology, in the modeling of systems intended to be secure. We then illustrate how one of these models, namely general deterrence theory, can be used to study the effectiveness of the password security requirements policy and the frequency of security audits in a typical organization. Finally, we discuss the many challenges that arise when adopting such a modeling approach, and then present our recommendations for future work.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017
EditorsMasato Kitakami, Dong Seong Kim, Vijay Varadharajan
PublisherIEEE Computer Society
Pages329-338
Number of pages10
ISBN (Electronic)9781509056514
DOIs
StatePublished - May 5 2017
Event22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017 - Christchurch, New Zealand
Duration: Jan 22 2017Jan 25 2017

Publication series

NameProceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC
ISSN (Print)1541-0110

Other

Other22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017
CountryNew Zealand
CityChristchurch
Period1/22/171/25/17

Keywords

  • Computer crime
  • Computer security
  • Computer simulation
  • Human factors
  • Modeling

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Computer Science Applications
  • Hardware and Architecture
  • Software

Fingerprint Dive into the research topics of 'Accounting for the human user in predictive security models'. Together they form a unique fingerprint.

  • Cite this

    Noureddine, M. A., Marturano, A., Keefe, K., Bashiry, M., & Sanders, W. H. (2017). Accounting for the human user in predictive security models. In M. Kitakami, D. S. Kim, & V. Varadharajan (Eds.), Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017 (pp. 329-338). [7920638] (Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC). IEEE Computer Society. https://doi.org/10.1109/PRDC.2017.58