• No results found

Addressing Human Behavior in Cyber Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Addressing Human Behavior in Cyber Security"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

Addressing Human Behavior in Cyber

Security

Michael Orosz, Ph.D.

USC Information Sciences Institute

(2)

This discussion is proudly sponsored

through a partnership between

AFCEA, IEEE Computer Society, and

IEEE Security & Privacy Magazine

(3)

Who We Are

Founded in 1972 as a spin-off from the Rand

Corporation

– A component of the USC Viterbi School of Engineering

– Locations: Marina del Rey, CA and Arlington, VA

Pioneering work in establishing the Internet

(e.g., DNS)

Cyber-security research (examples):

– DETER cyber test bed (funded by DHS, NSF and DARPA)

– Smart Grid cyber-security (DoE and LADWP funded)

(4)

Review: Cyber Security is about Balance

Cyber security is increasingly seen as the

management of economic trade-offs

Losses from actual attacks

– Monetary costs

– Psychological costs due to loss of privacy

– Loss of opportunity

Costs of threat/attack mitigation mechanisms

– Monetary costs

– Degradation of performance and productivity

(5)

Cyber Security is a socio-technical problem

• Traditional cyber security focuses on technical side of the problem

• Cyber security is socio-technical issue: it relies on technology and humans

• Security of a system or network is as secure as it’s

weakest link – which typically falls on the human side of the equation

• Successful design, implementation, and enforcement of security requires understanding of interplay of

(6)

Recent Headlines

70M+ customers comprised

Syrian

Electronic

Army

(7)

Why humans are the weakest link?

Poor mental models of security due to the complexity of security systems

Bounded rationality

Use a set of heuristics as mental short cuts in security decision making

– Heuristics, e.g., Availability heuristic

– Biases, e.g., Confirmation bias

Security trade-offs that can be evaluated incorrectly:

1. Severity of the risk 2. Probability of the risk 3. Magnitude of the costs

4. Effectiveness of countermeasure

(8)

We Don’t Understand

“I have nothing to lose or hide…”

“I can easily recover from a

cyber-attack”

“We’re a small company, no one cares

about us…”

“I’m not connected to the digital

(9)

Motivations

Attacker: Greed,

power, access,

“the thrill of it…”, etc.

The rest: Lazy, uninformed, confused,

(10)

Research Questions

• Why does the behavior of various actors diverge from rationality?

• Can we leverage this knowledge to increase cyber-security?

• What factors influence decision making for actors? • How can we address the gaps between optimum and

actual actions?

• How can we take address attackers who take advantage of the gaps between perceived and actual risk?

(11)

Actors

Attackers: malicious actors who are focused on compromising and/or

gaining access to a cyber system for various reasons

Defenders: non-malicious actors - those who intend to maintain the

security of a system (e.g., IT personnel, security, etc.)

End-users: actors whose

behavior/attitudes are indifferent to system security but do not intend to attack the system

(12)

Research thrust 1: Decision Analysis Modeling of Users, Attackers, and Defenders

Increase our understanding of how humans process risk and apply heuristics to think about security

– we can learn how to override our natural tendencies and make better security trade-offs.

Increase our understanding of how malicious actors can take advantage of cognitive biases

– e.g., to make people feel more secure than they actually are to achieve their goals

Better understand how attackers actually behave (risk taking behavior and decision heuristics)

– ensure that the best technologies for threat prevention, detection, analysis, and mitigation are created.

– potential to reduce costs by implementing more targeted monitoring and protection.

(13)

Interactions between players in the adversarial cyber security game

To better understand the linkages between the stakeholders, we

(14)

Research thrust 2: Integrate Psychosocial Components into Cyber Security

Goal: understand, model, and integrate the psychosocial aspects in the design of effective human-centered security mechanisms.

Research questions:

1. Investigate to what extent the psychosocial characteristics of to-human interactions are evident in human-computer interactions relevant to cyber security.

2. Under which conditions the social preferences have important effects on cyber security?

– In particular, in what cases should the interaction resemble human-to-human communication in order to encourage the preferences

beneficial to cyber security?

3. What is the best way to model and utilize these preferences?

(15)

Subject Matter Experts

Address Attackers, Defenders and End-Users

Answer questions such as:

• What motivates an attacker to undertake a cyber-attack?

• Why a particular attack vector is taken? • How do attackers assess risk?

• At what threshold does an attacker determine that risk is too high?

• Why do defenders take the actions they take in implementing counter-measures?

• How do defenders access risk?

(16)

Working with SMEs

Surveys

• SMEs will be asked to take part in periodic (several per year) on-line surveys issued by project personnel

Expert elicitations

• One-on-one discussions (several per year) between SMEs and project personnel

• Approximately 1-2 hours in length

Process

• Minimize impact on SME’s time

• Based on surveys and discussions, project team will develop initial models of actor behavior and various scenarios for each of the actors • SMEs will be presented with models/scenarios to help with validation

(17)

Thank You

References

Download now ( PDF - 17 Page - 1.05 MB )

Related documents

MTAP ELIMINATION REVIEWER

A dozen doughnuts and a loaf of bread cost P69; half a dozen doughnuts and a loaf of bread cost P42.. How much does a dozen

Ferdinand Fanshawe, Sales Director and Martha Ross, Operations Director The Widget Pharma Company, Orangeville

The finance department were not involved – S&OP should be about matching the medium term sales and operations plans to the financial numbers in the budget and the business

14ITN 04AJ Invitation to Negotiate

CFPP shared ILS will be required to support current and future standards and frameworks for all record and data types including, but not limited to, licensing, electronic

City of San Joaquin 2040 Community Plan: Policy Document

The goals, objectives, policies and programs will direct the future development of San Joaquin and were generated through adaptation of the current Community Plan, consultation

Nándor Bárdi: Selected Research Reports on National Identity from the Research Centre for Mass Communication (Budapest).

Keywords: national policy, dual citizenship, naturalisation, minority policy Tibor Toró: The Hungarian Communities from the Neighbouring Countries after the Law of

3D Laser Scanner. Extra long range laser scanner combined with a high resolution digital panoramic camera

The seamless data processing capability of Maptek I-Site Studio software ensures that the I-Site 8800 system will become the first choice for all long range scanning

DATA CENTRE PRICING NETHERLANDS 2014 to 2019

Figure 26: A table showing average retail standard Dutch Data Centre rack space pricing for the segments of Carrier Based, Pan European, Premium, Carrier Neutral &

Do You Even Lift Bro?

happens when your time in service ends?  If you do not choose to stay in and reenlist, you attend some classes dubbed Seps and TAPS which stands for Separations and