A Framework for Human Factors in Information Security

1
A Framework for Human Factors in Information
Security

• Faculty of Engineering and Science
• Institute of Information and Communication
  Technology
• Agder University College
• N-4876 Grimstad, Norway
• Jose.J.Gonzalez_at_hia.no http//ikt.hia.no/josejg/

2
The problem

• People are the Achilles heel of (information
  security)
• Schneier (2000) I tell prospective clients
  that the mathematics are impeccable, the
  computers are vincible, the networks are lousy,
  and the people are abysmal. Ive learned a lot
  about the problems of securing computers and
  networks, but none that really helps solve the
  people problem.
• Symptoms Ubiquitous erosion of standards
  pattern of increasing noncompliance with security
  regulations over time with transient improvement
  following incidents

3
Causative space

• Many proposals for causes depending on problem
  and circumstances
• Throughput pressure
• Behavioral economics
• Shrinkage of allowable actions as system is
  patched when vulnerabilities are discovered
• See e.g. Anderson, 2001 Battmann Klumb, 1993
  Reason 1990, 1997 Schneier, 2000
• Lacking a comprehensive business case targeted
  on security dynamics we argue as minimum case
  that in the absence of throughput pressure,
  behavior economics, etc. a mechanism due to
  instrumental conditioning modulated by risk
  (mis)perception leads to erosion of standards
• Instrumental conditioning risk misperception
  (Gonzalez, 2002a, b Gonzalez Sawicka, 2003
  a,b)
• But we ultimately look for comprehensive
  real-life case descriptions with reference
  behavior modes in order to create system dynamic
  simulations to explore
• (Reference behavior modes are time plots of
  crucial parameters ? problem symptoms, desired
  behavior, policy actions, etc.)

4
Minimum case Based on Instrumental Conditioning
Modulated by Risk Perception

• While other potential influences (e.g. throughput
  pressure) may or may not be present, there is
  always some impact of (changing) risk perception.
  
• Risk perception is highly volatile and dependent
  on direct and indirect circumstances (i.e. own
  and reported experiences), making its influence
  on compliance presumably equally volatile and
  conspicuous.
• Accordingly, we hypothesize that erosion of
  security standards always has a component due
  instrumental conditioning modulated by changing
  risk perception.

5
Dynamic Hypothesis for Erosion of Standards for
Minimum Case

• Instrumental conditioning Compliance with
  security standards is demanding (effort,
  attention, etc) and detracts from other goals.
  Bypassing such impediments should be rewarding
  (reinforcing).
• Misperception of risk Modern technology makes
  security systems very robust most infringements
  of rules remain without immediate consequences
  (no incidents occur). This counteracts a
  reasonably correct risk perception.

6
Behavior regulation theory of Instrumental
conditioning

• Homeostasis self-regulating process by which
  biological systems defend its stability
  (conditions that are optimal for survival).
• Behavior Regulation Theory (Timberlake 1980,
  1984 Allison 1989) extension of homeostasis to
  response choice.
• Behavioral bliss point organisms have a
  preferred distribution of activities.
• An instrumental conditioning procedure disrupts
  the behavioral bliss point.
• In behavioral regulation, what is defended is the
  organisms preferred distribution of activities,
  its behavioral bliss point.
• System dynamics model of instrumental
  conditioning (Gonzalez, 2002a, b Gonzalez
  Sawicka, 2003a) renders the dynamics of
  instrumental conditioning

7
Extension of Behavior Regulation Theory to
Erosion of Security

• Behavioral bliss point is some minimum
  procedure (established, say, by perceptions over
  very long time periods without major incidents).
• Instrumental contingency the constraint that
  disrupts the behavioral bliss point is risk
  perception.
• If risk is perceived as high the instrumental
  response (compliance) is conditioned.
• As risk perception becomes less and less acute,
  the conditioned behavior is gradually eroded
  (extinction of conditioned behavior).

8
Reference Behavior for Minimum Case

• Kim works as computer scientist in a small
  university
• Past history is free from hacker attacks
• Kim is used to dedicate one time slot every 14
  days to preventive measures, i.e. Kims
  behavioral bliss point (BBP) is one
  security-related task every 14 days
• Starting July 1, 2002, Kims university has
  become a popular target for hackers
• Following a major incident, stringent security
  measures are introduced (one security-related
  task per day). Such measures are sufficient to
  prevent security incidents
• Kims behavior follows the famous unrocked boat
  pattern As perceived risk declines no
  incidents happen Kim relaxes security, slowly
  returning to her BBP. Then an incident happens
  and Kim complies with security measures. The
  story repeats itself a few more times.

9
System Dynamics Model of Erosion of Standards
One security-related task pr day from July 1,
2002 on
Kims preference her BBP is 1 task every 14
days
Kims perceived risk is increased with some
perception delay by accidents
and Kims perceived risk is decreased over time
if accidents do not happen
Low risk before July 1, 2002. High risk afterward
Correct risk perception (Preferred Security
level? Security level) acts as instrumental
conditioning of compliance
Incorrect risk perception (Preferred Security
levellt Security level) leads to deconditioning
of compliance
Kims preferred security level is influenced by
her risk perception
Model developed with Powersim Studio
10
Model behavior - I
Perceived risk is out of phase with actual
(current) risk due to a perception delay.
Accidents happen with increasing probability when
current risk enters the accident zone
Accidents
11
Model behavior - II
Preferred security level is strongly influenced
by the occurrence of accidents. Due to a long
time constant for the extinction of conditioned
behavior and the low probability of accidents the
actual security level decays slowly (lags behind)
12
Model behavior - III
Conditioning of higher compliance only occurs
during a short interval in a "risk perception
cycle." Misperception of risk and the absence of
accidents due to secure technology act during
a longer interval to de-condition desired
behavior (extinction zone).
13
Policies Suggested by Our Model

• Important to entrench instrumental conditioning
  while risk perception is high
• Sustain high risk perception by education and
  campaigns while risk perception is still high
• Select efficient schedules of conditioning
• Prolong conditioning zone by social engineering
  (social proof Cialdini, 1993)
• Important to counteract extinction of conditioned
  behavior
• Watch out for indications of increasing
  noncompliance
• Conditioned behavior is not really extinguished
  rather, it is inhibited. Potential for
  reactivation of compliance?

14
The Way Beyond Modeling Real-life Scenarios

• Reference behavior modes needed (temporal
  patterns describing policies and intrusion
  attempts, e.g.) from case studies
• Development of comprehensive simulation models
  relating the structure (i.e. the causal patterns)
  of the problem to its behavior
• Output would be
• Verification of hypothesized causal patterns
• Scenarios relating policies and outcomes
• Testing of suggested solutions for the
  interaction between people, technology and
  working environment
• We look forward to collaborate with institutions
  and organizations

15
References I

• Allison, J. 1989. The nature of reinforcement. In
  Contemporary learning theories Instrumental
  conditioning theory and the impact of biological
  constraints on learning, edited by S. B. Klein
  and R. R. Mower. Hillsdale, NJ Erlbaum.
• Anderson, Ross. 2001. Security Engineering A
  Comprehensive Guide to Building Dependable
  Distributed Systems John Wiley Sons.
• Battmann, Wolfgang, and Petra Klumb. 1993.
  Behavioural economics and compliance with safety
  regulations. Safety Science 1635-46.
• Cialdini, RB. 1993. Influence Science and
  Practice. 3 ed. New York, NY HarperCollins
  College Publishers.
• Domjan, M., The Essentials of Conditioning and
  Learning. 2 ed. Belmont, CA Wadsworth/Thomson
  Learning, 2000.
• Gonzalez, Jose J. 2002a. Modeling the Erosion
  Security. 20th International System Dynamics
  Conference. Palermo, Italy.
• Gonzalez, Jose J. 2002b. Modeling Erosion of Safe
  Sex practices. 20th International System Dynamics
  Conference. Palermo, Italy.

16
References II

• Gonzalez, J.J. and A. Sawicka. 2003a. Modeling
  instrumental conditioning The Behavioral
  regulation approach. To be presented at 36th
  Hawaii International Conference on System
  Sciences (HICSS 36). Big Island, Hawaii.
• Gonzalez, J.J. and A. Sawicka. 2003b. Origins of
  compliance An instrumental conditioning
  perspective. Submitted to International
  Conference on Cognitive Modeling (ICCM 2003).
  Bamberg, Germany.
• Reason, J. 1990. Human Error. New York Cambridge
  University Press.
• Reason, J. 1997. Managing the Risks of
  Organizational Accidents. Hants, UK Ashgate
  Publishing Ltd.
• Schneier, B., Secrets and Lies Digital Security
  in a Networked World. New York John Wiley
  Sons, Inc., 2000.
• Timberlake, W. 1980. A molar equilibrium theory
  of learned performance. In The psychology of
  learning and motivation, edited by G. H. Bower.
  Orlando, FL Academic Press.
• Timberlake, W. 1984. Behavioral regulation and
  learned performance Some misapprehensions and
  disagreements. Journal of the Experimental
  Analysis of Behavior 41355-75.