Accounting for the human user in predictive security models

Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC

Volumn , Issue , 2017, Pages 329-338

  Noureddine, Mohammad A ^a   Marturano, Andrew ^a   Keefe, Ken ^a   Bashiry, Masooda ^b   Sanders, William H ^c  

^a Information Trust Institute   (United States)

^b School of Information Science   (United States)

^c University of Illinois at Urbana Champaign   (United States)

Author keywords

Computer crime; Computer security; Computer simulation; Human factors; Modeling

Indexed keywords

COMPUTATION THEORY; COMPUTER CRIME; COMPUTER SIMULATION; HUMAN ENGINEERING; MODELS; NETWORK SECURITY; SECURITY OF DATA; SOCIAL SCIENCES;

DESIGNING SYSTEMS; HUMAN BEHAVIORS; MODEL OF SYSTEMS; PASSWORD SECURITY; SECURITY BREACHES; SECURITY DESIGN; SECURITY METRICS; SYSTEM SECURITY;

BEHAVIORAL RESEARCH;

EID: 85019606698     PISSN: 15410110     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/PRDC.2017.58     Document Type: Conference Paper

References (40)

1. IBM Global Technology Services, "IBM security services 2014 cyber security intelligence index, " Tech. Rep., 2014.
2. C. Warzel and M. Zeitlin, "It gets worse: The newest Sony data breach exposes thousands of passwords, " http://www. buzzfeed. com, 2014.
3. H. Suo, J. Wan, C. Zou, and J. Liu, "Security in the Internet of Things: A review, " in Proc. Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on, vol. 3, March 2012, pp. 648-651.
4. M. Bishop, "Psychological acceptability revisited, " in Security and Usability: Designing secure systems that people can use. Sebastopol, CA: OReilly Media, 2005, pp. 1-12.
5. A. Beautement, M. A. Sasse, and M. Wonham, "The compliance budget: Managing security behaviour in organisations, " in Proceedings of the 2008 Workshop on New Security Paradigms (NSPW). New York, NY, USA: ACM, 2008, pp. 47-58.
6. R. West, "The psychology of security, " Commun. ACM, vol. 51, no. 4, pp. 34-40, Apr. 2008.
7. J. D'Arcy, A. Hovav, and D. Galletta, "User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, " Information Systems Research, vol. 20, no. 1, pp. 79-98, 2009.
8. A. Beautement, R. Coles, J. Griffin, C. Ioannidis, B. Monahan, D. Pym, A. Sasse, and M. Wonham, "Modelling the human and technological costs and benefits of USB memory stick security, " in Managing Information Risk and the Economics of Security, M. Johnson, Ed. Springer US, 2009, pp. 141-163.
9. D. Eskins and W. Sanders, "The multiple-asymmetric-utility system model: A framework for modeling cyber-human systems, " in Proc. Quantitative Evaluation of Systems (QEST), 2011 Eighth International Conference on, Sept. 2011, pp. 233-242.
10. C. Colwill, "Human factors in information security: The insider threat-who can you trust these days?" Information Security Technical Report, vol. 14, no. 4, pp. 186-196, 2009.
11. B. Schneier, "The psychology of security, " in Proc. Progress in Cryptology: First International Conference on Cryptology in Africa (AFRICACRYPT), S. Vaudenay, Ed., vol. 5023. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 50-79.
12. A. Adams and M. A. Sasse, "Users are not the enemy, " Commun. ACM, vol. 42, no. 12, pp. 40-46, Dec. 1999.
13. W. Sanders, "Quantitative security metrics: Unattainable holy grail or a vital breakthrough within our reach?" IEEE Security and Privacy, vol. 12, no. 2, pp. 67-69, Mar. 2014.
14. J. B. Taylor, "Discretion versus policy rules in practice, " Carnegie-Rochester Conference Series on Public Policy, vol. 39, pp. 195-214, 1993.
15. S. E. Parkin, A. van Moorsel, and R. Coles, "An information security ontology incorporating human-behavioural implications, " in Proceedings of the International Conference on Security of Information and Networks (SIN). New York, NY, USA: ACM, 2009, pp. 46-55.
16. S. E. Parkin, R. Yassin Kassab, and A. van Moorsel, "The impact of unavailability on the effectiveness of enterprise information security technologies, " in Proc. Service Availability: 5th International Service Availability Symposium (ISAS), T. Nanya, F. Maruyama, A. Pataricza, and M. Malek, Eds., vol. 5017. Springer Berlin Heidelberg, 2008, pp. 43-58.
17. M. Theoharidou, S. Kokolakis, M. Karyda, and E. Kiountouzis, "The insider threat to information systems and the effectiveness of ISO17799, " Computers & Security, vol. 24, no. 6, pp. 472-484, 2005.
18. T. Herath and H. Rao, "Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness, " Decision Support Systems, vol. 47, no. 2, pp. 154-165, 2009.
19. J. B. Hardee, R. West, and C. B. Mayhorn, "To download or not to download: An examination of computer security decision making, " ACM interactions, vol. 13, no. 3, pp. 32-37, May 2006.
20. P. Ifinedo, "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory, " Computers & Security, vol. 31, no. 1, pp. 83-95, 2012.
21. B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness, " MIS Quarterly, vol. 34, no. 3, pp. 523-548, 2010.
22. J.-Y. Son, "Out of fear or desire? toward a better understanding of employees' motivation to follow IS security policies, " Information & Management, vol. 48, no. 7, pp. 296-302, 2011.
23. A. C. Johnston and M. Warkentin, "Fear appeals and information security behaviors: An empirical study, " MIS quarterly, vol. 34, no. 3, pp. 549-566, 2010.
24. B.-Y. Ng, A. Kankanhalli, and Y. C. Xu, "Studying users' computer security behavior: A health belief perspective, " Decision Support Systems, vol. 46, no. 4, pp. 815-825, 2009.
25. J. Lee and Y. Lee, "A holistic model of computer abuse within organizations, " Information Management & Computer Security, vol. 10, no. 2, pp. 57-63, 2002.
26. W. H. Sanders and J. F. Meyer, "Stochastic activity networks: Formal definitions and concepts, " in Lectures on Formal Methods and Performance Analysis, ser. Lecture Notes in Computer Science, E. Brinksma, H. Hermanns, and J.-P. Katoen, Eds., vol. 2090. Springer Berlin Heidelberg, 2001, pp. 315-343.
27. G. Clark, T. Courtney, D. Daly, D. Deavours, S. Derisavi, J. M. Doyle, W. H. Sanders, and P. Webster, "The Möbius modeling tool, " in Proc. Petri Nets and Performance Models, 2001. 9th International Workshop on, 2001, pp. 241-250.
28. B. Ur, S. M. Segreti, L. Bauer, N. Christin, L. F. Cranor, S. Komanduri, D. Kurilova, M. L. Mazurek, W. Melicher, and R. Shay, "Measuring real-world accuracies and biases in modeling password guessability, " in Proc. 24th USENIX Security Symposium (USENIX Security 15). Washington, D. C.: USENIX Association, Aug. 2015, pp. 463-481.
29. C. Kuo, S. Romanosky, and L. F. Cranor, "Human selection of mnemonic phrase-based passwords, " in Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS). New York, NY, USA: ACM, 2006, pp. 67-78.
30. F. Greitzer, J. Strozer, S. Cohen, J. Bergey, J. Cowley, A. Moore, and D. Mundie, "Unintentional insider threat: Contributing factors, observables, and mitigation strategies, " in Proc. System Sciences (HICSS), 2014 47th Hawaii International Conference on, Jan. 2014, pp. 2025-2034.
31. Verizon, "2014 data breach investigations report, " Tech. Rep., 2014.
32. Symantec, "Internet security threat report, " Tech. Rep., 2015.
33. D. M. Nicol, W. H. Sanders, and K. S. Trivedi, "Model-based evaluation: from dependability to security, " Dependable and Secure Computing, IEEE Transactions on, vol. 1, no. 1, pp. 48-65, Jan. 2004.
34. S. M. Bellovin, "On the brittleness of software and the infeasibility of security metrics, " IEEE Security & Privacy, vol. 4, no. 4, p. 96, 2006.
35. D. Leversage and E. James, "Estimating a system's mean time-tocompromise, " IEEE Security & Privacy, vol. 6, no. 1, pp. 52-60, Jan. 2008.
36. B. Schneier, "Attack trees, " Dr. Dobbs Journal, vol. 24, no. 12, pp. 21-29, 1999.
37. E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke, "Model-based security metrics using ADversary VIew Security Evaluation (ADVISE), " in Quantitative Evaluation of Systems (QEST), 2011 Eighth International Conference on, Sept. 2011, pp. 191-200.
38. R. Cain and A. van Moorsel, "Proc. optimization of data collection strategies for model-based evaluation and decision-making, " in Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, June 2012, pp. 1-10.
39. P. Sanders, "DoD modeling and simulation (M&S) verification, validation, and accreditation (VV&A), " DTIC Document, Tech. Rep., 1996.
40. E. Bonabeau, "Agent-based modeling: Methods and techniques for simulating human systems, " Proceedings of the National Academy of Sciences, vol. 99, no. suppl 3, pp. 7280-7287, 2002.