Beautement, A; (2013) Optimising information security decision making. Doctoral thesis , UCL (University College London).

Preview

PDF Adam Beautement PHD Thesis.pdf Available under License : See the attached licence file. Download (2MB)

Abstract

The aim of the thesis is to investigate the relationship between human behaviour and effective security in order to develop tools and methods for supporting decision makers in the field of information security. A review of the literature of information security, Human Computer Interaction (HCI), and the economics of security reveals that role of users in delivering effective security has largely been neglected. Security designers working without an understanding of the limitations of human cognition implement systems that, by their nature, offer perverse incentives to the user. The result is the adoption of insecure behaviour by the users in order to cope with the burdens placed upon them. Despite HCI identifying the need for increased usability in security, much of the research in the field of HCI Security (HCISec) still focuses on improving the usability of the interface to security systems, rather than the underlying system itself. In addition, while the impact of user non-compliance on the effectiveness of security has been demonstrated, most security design methods still rely on technical measures and controls to achieve their security aims. In recent years the need to incorporate human factors into security decision making has been recognised but this process is not supported by appropriate tools or methodologies. The traditional CIA framework used to express security goals lacks the flexibility and granularity to support the analysis of the trade-offs that are taking place. The research gap is therefore not so much one of knowledge (for much of the required information does exist in the fields of security and HCI) but rather how to combine this knowledge to form an effective decision making framework. This gap is addressed by combining the fields of security and HCI with economics in order to provide a utility-based approach that allows the effective balancing and management of human factors alongside more technical measures and controls. The need to consider human effort as a limited resource is shown by highlighting the negative consequences of neglecting this axis of resource measurement. This need is expressed through the Compliance Budget model which treats users as perceptive actors conducting a cost/benefit analysis when faced with compliance decisions. Through the use of the qualitative data analysis methodology Grounded Theory, a set of semi-structured interviews were analysed to provide the basis for this model. Passwords form a running example throughout the thesis. The need to provide decision makers with empirical data grounded in the real world is recognised and addressed through a combination of data gathering techniques. A laboratory study and a field trial were conducted to gather performance data with two password policies. In order to make optimal use of this data, a unified approach to decision making is necessary. Alongside this, the usefulness of systems models as tools for simulation and analysis is recognised. An economically motivated framework is therefore presented that organises and expresses security goals with the methods required to fulfil them. The role of the user is fully represented in this framework which is structured in such a way as to allow a smooth transition from data gathering to systems modelling. This unified approach to optimising security decision making provides key insights into the requirements for making more effective real-world decisions in the field of information security and is a useful foundation for improving current practices in this area.

Download activity - last month

Export as JSONCSVXML

Download activity - last 12 months

Export as XMLCSVJSON

Downloads by country - last 12 months

Export as JSONXMLCSV

Archive Staff Only

View Item