Agent-based modeling of user circumvention of security

2005

In our research, we have been concerned with the question of how to make relevant features of security situations visible to users in order to allow them to make informed decisions regarding potential privacy and security problems, as well as regarding potential implications of their actions. To this end, we have designed technical infrastructures that make visible the configurations, activities, and implications of available security mechanisms. This thus allows users to make informed choices and take coordinated and appropriate actions when necessary. This work differs from the more traditional security usability work in that our focus is not only on the usability of security mechanism (e.g., the ease-of-use of an access control interface), but how security can manifest itself as part of people's interactions with and through information systems (i.e., how people experience and interpret privacy and security situations, and are enabled or constrained by existing technological mechanisms to act appropriately). In this paper, we report our experiences designing, developing, and testing two technical infrastructures for supporting this approach for usable security.

Our society is dependent on information and the different technologies and artifacts that gives us access to it. However, the technologies we have come to depend on in different aspects of our lives are imperfect and during the past decade, these imperfections have been the target of identity thieves, cyber criminals and malicious persons within and outside the organization. These malicious persons often target networks of organizations such as hospitals, banks and other financial organizations. Access to these networks are often gained by sidestepping security mechanisms of computer-systems connected to the organization’s network. Often, the goal of computer-systems security mechanisms is to prevent or detect threats; or recover from an eventual attack. However, despite huge investments in IT-security infrastructure and Information security, over 95% of banks, hospitals and government agencies have at least 10 malicious infections bypass existing security mechanisms and enter their network without being detected. This has resulted in the loss of valuable information and substantial sums of money from banks and other organizations across the globe. From early research in this area, it has been discovered that the reason why security mechanisms fail is because it is often used incorrectly or not used at all. Specifically, most users find the security mechanisms on their computers too complicated and they would rather not use it. Therefore, previous research have focused on making computer-systems security usable or simplifying security technology so that they are “less complicated” for all types users, instead of designing computers that are both usable and secure. The problem with this traditional approach is that security is treated as an “add-on” to a finished computer-system design. This study is an attempt to change the traditional approach by adjusting two phases of a computer-system design model to incorporate the collection of usability as well as security requirements. Guided by the exploratory case study research design, I gained new insights into a situation that has shocked security specialists and organizational actors alike. This study resulted in the creation of a methodology for designing usable and secure computer-systems. Although this method is in its rudimentary stage, it was tested using an online questionnaire. Data from the literature study was sorted using a synthesis matrix; and analyzed using qualitative content analysis. Some prominent design and security models and methodologies discussed in this report include User-Centered System Design (UCSD), Appropriate and Effective Guidance for Information Security (AEGIS) and Octave Allegro. Keywords: Computer-systems security, usability, information security, User-Centered System Design (UCSD), balance, synthesis matrix, security breach, design methodology, Carbanak Attack, AEGIS, Octave Allegr

Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, 2015

Agent-based modeling can serve as a valuable asset to security personnel who wish to better understand the security landscape within their organization, especially as it relates to user behavior and circumvention. In this paper, we argue in favor of cognitive behavioral agent-based modeling for usable security and report on our work on developing an agent-based model for a password management scenario. We perform a number of trials and a sensitivity analysis that provide valuable insights into improving security (e.g., an organization that wishes to suppress one form of circumvention may want to endorse another form of circumvention). Agent-based models incorporating user behavior, emotion, and cognition can serve as valuable tools that assist computer security personnel design, implement, and maintain security systems, devise security policies, and employ security practices that are congruent with security and other organizational objectives. Indeed, as the current state of security practice indicates, we need these sorts of tools. Our interviews, surveys, and observations reflect many examples where security fails to accommodate users. Such mismatches between user needs and security policies and mechanisms often induce circumvention, thereby undermining overall objectives. Even if one could design adequate security policies and mechanisms a priori, the dynamic nature of software systems, user needs, and organizational and environmental changes would necessitate frequent readjustments. Consequently, we need tools that allow us to better understand computer security's costs, common perceptions and misperceptions, side effects, and interactions.

… on Human-Computer Interaction and Security Systems …, 2003

This paper reviews past and current work on usability of security mechanisms. Given that most users interact with computer security on a daily basis, it is astonishing how little interest the CHI community has taken in the design of security systems. Many usability problems associated with security mechanisms could be avoided through application of basic usability knowledge and methods. At the same time, the design of security systems raises some issues that cannot be met with existing CHI knowledge and methods. In conclusion, I will outline the research challenges for improving usability of security systems.

ACM International Conference Proceeding Series, 2007

Humans are "smart components" in a system, but cannot be directly programmed to perform; rather, their autonomy must be respected as a design constraint and incentives provided to induce desired behavior. Sometimes these incentives are properly aligned, and the humans don't represent a vulnerability. But often, a misalignment of incentives causes a weakness in the system that can be exploited by clever attackers. Incentive-centered design tools help us understand these problems, and provide design principles to alleviate them. We describe incentive-centered design and some tools it provides. We provide a number of examples of security problems for which Incentive Centered Design might be helpful. We elaborate with a general screening model that offers strong design principles for a class of security problems.

Proceedings of the 2010 workshop on New security paradigms - NSPW '10, 2010

Recent strides in usability research have produced various solutions to assist computer users during interactions with IT security mechanisms. However, the usability concerns of users within organisations are not considered or simply not apparent to the one individual who can effect change, the IT security manager. Ideally these concerns would resonate with the IT security manager, and here we explore how that can be realised, through the design of a password policy decisionsupport tool. During two 2-hour sessions, 3 IT security managers discussed with us our mock-up prototypes and a range of potential usage scenarios (e.g. cloud-based password-cracking attacks and "hot desking" initiatives). We find that the experience of the end-user is currently not appropriately represented within the IT security manager's decision-making process, where the financial costs/benefits and business impacts of information security controls are foremost. Our tool design process elicits findings to help develop mechanisms to visualise these tradeoffs.

2001

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the 'weakest link in the security chain'. We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing human/computer interaction knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security.

Personal and Ubiquitous Computing, 2004

Ubiquitous and mobile technologies create new challenges for system security. Effective security solutions depend not only on the mathematical and technical properties of those solutions, but also on people's ability to understand them and use them as part of their work. As a step towards solving this problem, we have been examining how people experience security as a facet of their daily life, and how they routinely answer the question, ''is this system secure enough for what I want to do?'' We present a number of findings concerning the scope of security, attitudes towards security, and the social and organizational contexts within which security concerns arise, and point towards emerging technical solutions.

Computers & Security, 2004

Computer security has traditionally been assessed from a technical point of view. One other view is about the role played by legitimate users of systems in impairing the level of protection. In order to address this issue, we wish to adopt a multidisciplinary standpoint and investigate some of the human aspects involved in computer security. From research in psychology, it is known that people make biased decisions. They sometimes overlook rules in order to gain maximum benefits for the cost of a given action. This situation leads to insidious security lapses whereby the level of protection is traded-off against usability. In this paper, we highlight the cognitive processes underlying such security impairments. At the end of the paper, we propose a short usability-centered set of recommendations.

Security and Human Behaviour, 2008

To date, the usability of security systems has been problematic. I argue that this is partially a cultural problem within security research, partially a result of a conflation of the abstracted computational world with the complex social one, and partially a result of security researchers focussing on mechanism usability rather than the usability of systems within their social context. We present End User Development as a possible route forwards and show how its lessons can explain and generalise parts of the existing research in HCI-SEC (Human Computer Interaction -Security). Finally, we consider some challenges that remain in applying End User Development to security.