Title: A Framework for Human Factors in Information Security
1A Framework for Human Factors in Information
Security
- Faculty of Engineering and Science
- Institute of Information and Communication
Technology - Agder University College
- N-4876 Grimstad, Norway
- Jose.J.Gonzalez_at_hia.no http//ikt.hia.no/josejg/
2The problem
- People are the Achilles heel of (information
security) - Schneier (2000) I tell prospective clients
that the mathematics are impeccable, the
computers are vincible, the networks are lousy,
and the people are abysmal. Ive learned a lot
about the problems of securing computers and
networks, but none that really helps solve the
people problem. - Symptoms Ubiquitous erosion of standards
pattern of increasing noncompliance with security
regulations over time with transient improvement
following incidents
3Causative space
- Many proposals for causes depending on problem
and circumstances - Throughput pressure
- Behavioral economics
- Shrinkage of allowable actions as system is
patched when vulnerabilities are discovered - See e.g. Anderson, 2001 Battmann Klumb, 1993
Reason 1990, 1997 Schneier, 2000 - Lacking a comprehensive business case targeted
on security dynamics we argue as minimum case
that in the absence of throughput pressure,
behavior economics, etc. a mechanism due to
instrumental conditioning modulated by risk
(mis)perception leads to erosion of standards - Instrumental conditioning risk misperception
(Gonzalez, 2002a, b Gonzalez Sawicka, 2003
a,b) - But we ultimately look for comprehensive
real-life case descriptions with reference
behavior modes in order to create system dynamic
simulations to explore - (Reference behavior modes are time plots of
crucial parameters ? problem symptoms, desired
behavior, policy actions, etc.)
4Minimum case Based on Instrumental Conditioning
Modulated by Risk Perception
- While other potential influences (e.g. throughput
pressure) may or may not be present, there is
always some impact of (changing) risk perception.
- Risk perception is highly volatile and dependent
on direct and indirect circumstances (i.e. own
and reported experiences), making its influence
on compliance presumably equally volatile and
conspicuous. - Accordingly, we hypothesize that erosion of
security standards always has a component due
instrumental conditioning modulated by changing
risk perception.
5Dynamic Hypothesis for Erosion of Standards for
Minimum Case
- Instrumental conditioning Compliance with
security standards is demanding (effort,
attention, etc) and detracts from other goals.
Bypassing such impediments should be rewarding
(reinforcing). - Misperception of risk Modern technology makes
security systems very robust most infringements
of rules remain without immediate consequences
(no incidents occur). This counteracts a
reasonably correct risk perception.
6Behavior regulation theory of Instrumental
conditioning
- Homeostasis self-regulating process by which
biological systems defend its stability
(conditions that are optimal for survival). - Behavior Regulation Theory (Timberlake 1980,
1984 Allison 1989) extension of homeostasis to
response choice. - Behavioral bliss point organisms have a
preferred distribution of activities. - An instrumental conditioning procedure disrupts
the behavioral bliss point. - In behavioral regulation, what is defended is the
organisms preferred distribution of activities,
its behavioral bliss point. - System dynamics model of instrumental
conditioning (Gonzalez, 2002a, b Gonzalez
Sawicka, 2003a) renders the dynamics of
instrumental conditioning
7Extension of Behavior Regulation Theory to
Erosion of Security
- Behavioral bliss point is some minimum
procedure (established, say, by perceptions over
very long time periods without major incidents). - Instrumental contingency the constraint that
disrupts the behavioral bliss point is risk
perception. - If risk is perceived as high the instrumental
response (compliance) is conditioned. - As risk perception becomes less and less acute,
the conditioned behavior is gradually eroded
(extinction of conditioned behavior).
8Reference Behavior for Minimum Case
- Kim works as computer scientist in a small
university - Past history is free from hacker attacks
- Kim is used to dedicate one time slot every 14
days to preventive measures, i.e. Kims
behavioral bliss point (BBP) is one
security-related task every 14 days - Starting July 1, 2002, Kims university has
become a popular target for hackers - Following a major incident, stringent security
measures are introduced (one security-related
task per day). Such measures are sufficient to
prevent security incidents - Kims behavior follows the famous unrocked boat
pattern As perceived risk declines no
incidents happen Kim relaxes security, slowly
returning to her BBP. Then an incident happens
and Kim complies with security measures. The
story repeats itself a few more times.
9System Dynamics Model of Erosion of Standards
One security-related task pr day from July 1,
2002 on
Kims preference her BBP is 1 task every 14
days
Kims perceived risk is increased with some
perception delay by accidents
and Kims perceived risk is decreased over time
if accidents do not happen
Low risk before July 1, 2002. High risk afterward
Correct risk perception (Preferred Security
level? Security level) acts as instrumental
conditioning of compliance
Incorrect risk perception (Preferred Security
levellt Security level) leads to deconditioning
of compliance
Kims preferred security level is influenced by
her risk perception
Model developed with Powersim Studio
10Model behavior - I
Perceived risk is out of phase with actual
(current) risk due to a perception delay.
Accidents happen with increasing probability when
current risk enters the accident zone
Accidents
11Model behavior - II
Preferred security level is strongly influenced
by the occurrence of accidents. Due to a long
time constant for the extinction of conditioned
behavior and the low probability of accidents the
actual security level decays slowly (lags behind)
12Model behavior - III
Conditioning of higher compliance only occurs
during a short interval in a "risk perception
cycle." Misperception of risk and the absence of
accidents due to secure technology act during
a longer interval to de-condition desired
behavior (extinction zone).
13Policies Suggested by Our Model
- Important to entrench instrumental conditioning
while risk perception is high - Sustain high risk perception by education and
campaigns while risk perception is still high - Select efficient schedules of conditioning
- Prolong conditioning zone by social engineering
(social proof Cialdini, 1993) - Important to counteract extinction of conditioned
behavior - Watch out for indications of increasing
noncompliance - Conditioned behavior is not really extinguished
rather, it is inhibited. Potential for
reactivation of compliance?
14The Way Beyond Modeling Real-life Scenarios
- Reference behavior modes needed (temporal
patterns describing policies and intrusion
attempts, e.g.) from case studies - Development of comprehensive simulation models
relating the structure (i.e. the causal patterns)
of the problem to its behavior - Output would be
- Verification of hypothesized causal patterns
- Scenarios relating policies and outcomes
- Testing of suggested solutions for the
interaction between people, technology and
working environment - We look forward to collaborate with institutions
and organizations
15References I
- Allison, J. 1989. The nature of reinforcement. In
Contemporary learning theories Instrumental
conditioning theory and the impact of biological
constraints on learning, edited by S. B. Klein
and R. R. Mower. Hillsdale, NJ Erlbaum. - Anderson, Ross. 2001. Security Engineering A
Comprehensive Guide to Building Dependable
Distributed Systems John Wiley Sons. - Battmann, Wolfgang, and Petra Klumb. 1993.
Behavioural economics and compliance with safety
regulations. Safety Science 1635-46. - Cialdini, RB. 1993. Influence Science and
Practice. 3 ed. New York, NY HarperCollins
College Publishers. - Domjan, M., The Essentials of Conditioning and
Learning. 2 ed. Belmont, CA Wadsworth/Thomson
Learning, 2000. - Gonzalez, Jose J. 2002a. Modeling the Erosion
Security. 20th International System Dynamics
Conference. Palermo, Italy. - Gonzalez, Jose J. 2002b. Modeling Erosion of Safe
Sex practices. 20th International System Dynamics
Conference. Palermo, Italy.
16References II
- Gonzalez, J.J. and A. Sawicka. 2003a. Modeling
instrumental conditioning The Behavioral
regulation approach. To be presented at 36th
Hawaii International Conference on System
Sciences (HICSS 36). Big Island, Hawaii. - Gonzalez, J.J. and A. Sawicka. 2003b. Origins of
compliance An instrumental conditioning
perspective. Submitted to International
Conference on Cognitive Modeling (ICCM 2003).
Bamberg, Germany. - Reason, J. 1990. Human Error. New York Cambridge
University Press. - Reason, J. 1997. Managing the Risks of
Organizational Accidents. Hants, UK Ashgate
Publishing Ltd. - Schneier, B., Secrets and Lies Digital Security
in a Networked World. New York John Wiley
Sons, Inc., 2000. - Timberlake, W. 1980. A molar equilibrium theory
of learned performance. In The psychology of
learning and motivation, edited by G. H. Bower.
Orlando, FL Academic Press. - Timberlake, W. 1984. Behavioral regulation and
learned performance Some misapprehensions and
disagreements. Journal of the Experimental
Analysis of Behavior 41355-75.