1. Utilising human factors in the science of security Adam Beautement Department of Computer Science University College London, UK a.beautement@cs.ucl.ac.uk

2. Overview Background Limitations of common security outlooks Compliance as a decision making process Identifying drivers for non-compliance Positively influencing the compliance decision

3. Background Research associate at UCL – ACE-CSR – RISC Focused on optimising Information Security decision making – Individuals – Organisations Current research takes a utility-based view of systems fully incorporating human factors

4. Productive Security A project motivated by the view that: – Security exists to serve the primary process, not as an end goal in its own right – Taking a Productive Security approach can at least improve productivity without compromising security, and possibly improve both at the same time – Security can act as a business enabler

5. The science of security There is no current science of security Security decisions are made by individuals, based on their own personal store of knowledge and experience Data is in short supply – Organisations are reluctant to release breach reports – What is security relevant?

6. The System Technology Infrastructure Secured by: -Technical Controls -Control of the environment Processes End Users A wider range of interventions and approaches needed

7. Uninformed assumptions Security managers assume that users: – Are an unlimited source of effort – Are motivated by security – Are lacking in education And that educating them appropriately will change their behaviour None of these are true! Security systems based on these assumptions will fail

8. Hypothesis ~10% ~80% Staff who think they know better, or don’t care Staff who know what they should do, but feel they can’t Staff who don’t know policy

9. Friction Security is a process that sits alongside others – Business – Infrastructure – Social Where security is designed without these in mind it creates friction

10. Perceived individual cost Effectiveness of Security policy Compliance Threshold Higher Spending Rate Lower Spending Rate The Compliance Budget

11. Outcome of Positive Compliance Decision BENEFITS: Protection From Responsibility Protection From Sanctions COSTS: Physical Load Cognitive Load Missed Opportunity Embarrassment Reduced Availability ‘Hassle Factor’ Outcome of Negative Compliance Decision

12. Productive Security Methodology Assess the scale of the problem Identify problem areas and drivers of behaviour Prioritise interventions Design (and deploy) interventions Assess impacts and outcomes 1 5 2 3 4

13. In practise… Scenario-based survey, based on interview analysis, that assesses responses to conflict situations Semi-structured interviews with vertical cross section of the target organisation Work with organisation to determine strategy and capability Select optimal intervention, targeting appropriate socio-technical factor(s) Develop and utilise metrics to measure change in security behaviour and levels of compliance 1 5 2 3 4

14. Empirical data gathering Focused on identifying ways of managing non- compliance through: – Changing behaviour – Restructuring security systems/policy Working with commercial partners118 semi- structured interviews with staff on (non)compliance, to identify areas and reasons Online survey asking staff about security behaviour and attitudes – 1256 valid completed survey – 800+ free text responses

15. Interview Results High level of awareness of corporate policies Every interviewee reported not complying with at least one policy – Hotspots include bypassing access control, not encrypting files, password sharing, tail-gaiting Main drivers for non-compliance come from time and performance pressures: – Compliance impossible or inconveniently delays the primary task – Compliance perceived to be damaging to individual/business performance

16. Behavior and attitude survey 10 scenarios describing situations in which an employee is faced with a conflict between the business and security processes Scenarios split between Behaviour and Attitude types Each participant presented with 4 scenarios – clear company policy, but “no easy answers” – dilemma between business and security – range of non-compliant options to deal with dilemma – participants ranked the options in order of preference – rated severity of security issue created by non- compliance in each scenario

17. Findings and recommendations Interview/Scenario FindingSuggested course of action Employees aware of risks but still not compliant The problem is not one of knowledge – awareness training will not solve compliance issues so new approaches required Statistically significant cultural variation detected between US and UK populations Interventions need to be tailored to the target populations – more business focused in the US and more security focused in the UK Passive disposition toward security – breaches and workarounds not challenged Provide appropriate discrete channels for security feedback, whether complaints, problems or breach reports Main security driver is common sense, not organisational communications/policy Seek to increase the visibility of the organisational message, and engagement with employees

18. What does ‘good’ look like? Showing what problems exist does not necessarily allow goals to be set Organisations are poor at describing what desirable security outcomes look like, especially with regards to security behaviour – Is it ever acceptable for employees to break policy? We looked at existing models, particularly the CM process maturity model and adapted them

19. Security Behaviour Maturity Model

20. The Maturity Model Actually expresses a relationship between the user and the policy – It is not just a checklist of desirable user attributes Individuals with a strong internal security culture will exhibit different behaviours depending on the quality of the policy they are working under Identifying these individuals improves organisational efficiency as effort is not wasted in trying to retrain them

21. The Knowing-Doing Gap Alfawaz et al. identify that information can be unintentionally leaked when a gap exists between policy and behaviour They describe a framework of behaviour – Not knowing, not doing (security novice) – Not knowing, doing (security savant) – Knowing, not doing (rule breaker) – Knowing, doing (optimal)

22. Interaction with maturity model Overlaying these framework allows a behavioural diagnostic approach to be taken ‘Knowing, not doing’ can indicate: – A malicious insider – A worthwhile employee utilising workarounds due to a poor policy implementation Elimination of the second category, through reducing policy friction, improves insider detection

23. Key principles for mature security Relationship of security to productive process Awareness of security-relevant events Detection and reporting of vulnerabilities Action to manage vulnerabilities/risk Action in case of human error Action in case of breach Maintenance and improvement over time

24. Managing Non-Compliance Compliance requires ability and willingness Can’t comply Security asks that are impossible to complete. Must remove as a matter of security hygiene Could comply but won’t comply Tasks that can be completed in theory, but require high level of effort and/or reduces productivity. Re-design or SEAT Can comply and does comply Security tasks that are routinely completed. Provide initial baseline.

25. Improving decision making The natural limitations of the user must be recognised, as well as their goals – Security interventions must be tailored and targeted – one sized fits none The primary process of the business must be understood, and served – This will be the major motivating force of the user’s actions The organisation has as much responsibility to change as the user – Policies (e.g. health and safety, recycling, security) must be unified not stove piped

26. Questions?