Human Behaviour and Security Compliance
M. Angela Sasse
University College London, UK
Research Institute for Science of Cyber Security
www.ucl.ac.uk/cybersecurity/
Academic Centre of Excellence for Cyber Security Research
Overview
1. Why do employees not comply with security
policies?
2. How can organisations improve security
compliance?
1. Decide what you want. Compliance? Or Security? 2. Understand what you are asking employees to do. 3. Reduce friction – better design. And improve
productivity in the process!
4. Engage employees – from passive compliance to active participation.
Background
• 1996: Usability study to explain password security (with Anne Adams)
• Published in 1999: “Users Are Not the Enemy”
• Also 1999: Whitten &
Tygar “Why Johnny can’t encrypt”
• Started research in usable security
The image part with relationship ID rId2 was not found in the file.
Has it made a difference in practice?
• Consider authentication:
– Nielsen (2000) said that biometrics are highly usable and would replace passwords.
– Schneier (2000) and Gates (2004) predicted that passwords would become obsolete.
• Instead:
– People have more passwords. Longer ones.
– They write down, store, re-use and re-cycle passwords. – They have to think up and recall back-up credentials for
passwords. And solve a CAPTCHA before they are allowed to attempt to remember them.
Allendoerfer & Pai (2005): Human Factors Considerations for Passwords and Other User Identification Techniques. US DOT/FAA/CT- 05/20
Designing better security mechanisms
1. Fitting the system around the human (90% of the time – bending human to fit the task (10%)
2. Security is a secondary task – it should create as little additional workload and disruption as possible
3. More complex than ‘what’s easy to remember’ - ‘It Depends’:
– on specific user characteristics (universal access),
frequency of use, interference
– physical and social context of use
Usable authentication
• Authenticate users when needed – but minimize
the effort it requires from them
– Move from explicit to implicit authentication – let technology do the work
– Learning from e-commerce: recognize users through cookies, history/patterns, etc.
– Using tokens or biometrics
– Exploit modality of interaction – touch on touchscreens, video, audio
• Maximize the benefits for users and/or
organizations – “productive security”
Security people don’t track long-term impact
of their policies
Such as - employees
• not using corporate laptops
• stop logging in from home
• not collaborating with externals
• leaving the organization
… and the
• vulnerabilities created by workarounds (e.g
password sharing, mouse jigglers)
• Glossy brochure of
UK railway company
… complete with
passwords on
whiteboard
Usability Makes Economic Sense
• Workshop on Economics of Security (WEIS),
founded by Ross and Anderson and Bruce
Schneier, is now 10 years old
•
“Security people value users’ time at zero.”
The ‘Compliance Budget’
Example dashboard interface for CISOs
Cost of security measures
Meta-Measure
Initial Costs
(once)
Enforce-ment
Costs
Loss from
non-compliance
Architect.
Means
high
none /
negligible
none /
negligible
Formal
Rules
low
high
high
Informal
Rules
medium
low (spont.)
high
Don’t isolate, integrate
Engage employees to achieve culture change
Scenario-based survey, based on interview analysis, that assesses responses to conflict situations
Semi-structured interviews with vertical cross section of the target organisation
Work with organisation to determine strategy and capability
Select optimal intervention, targeting appropriate socio-technical factor(s)
Develop and utilise metrics to measure change in security behaviour and levels of compliance
1
5 2
3
“Jason is an XY Commercial Analyst and is currently involved in an important project that requires him to present progress updates to clients, often in offsite locations. He would
normally use his laptop to take presentations to clients, but his laptop developed a problem and is currently with
maintenance.
He decides to use an encrypted USB memory stick to
transfer the required files to the client site. Shortly before he is due to leave for the meeting, Jason realises he lent his
encrypted USB stick to a colleague. He knows he will not get a replacement at such short notice, but needs some way to transfer information. The presentation includes embedded media and is too large to email, and he cannot access the internal network from the client’s site.”
• Option A: Take the required data on an unencrypted USB stick - you have one to hand.
• Option B: Borrow an encrypted stick from a colleague. You would have to also make a note of their password so you can access the data at the client's site. The colleague had asked that you do not share / erase the confidential data already on the stick.
• Option C: An employee of the client has been visiting XY and is due to travel back with you. Use the available
unencrypted USB stick to put a copy of the data onto their laptop and ask them to take it to the client's site.
• Option D: Upload the files to a public online data storage service and recover them at the client's site.
Behavior Types
• Type 1: Least compliant – disregard policy to maximize productivity in case of any friction
• Type 2: Partly compliant - condone insecure behavior in case of friction, expect others “to take care of security”
• Type 3: Largely compliant – try to comply, but occasionally prioritize productivity over security; prepared to take action if cost to themselves is low
• Type 4: Mostly compliant – try to put security first, prepared to take action themselves
