Visible to the public Accounting for the Human User in Predictive Security Models

TitleAccounting for the Human User in Predictive Security Models
Publication TypeConference Paper
Year of Publication2017
AuthorsNoureddine, M. A., Marturano, A., Keefe, K., Bashir, M., Sanders, W. H.
Conference Name 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing (PRDC)
ISBN Number978-1-5090-5652-1
Keywordsaccounting, Computational modeling, Computer crime, computer security, Computer simulation, Computers, Computing Theory, Cyber Attacks, cyber system, General Deterrence Theory, Human Behavior, human factors, human user, Measurement, Metrics, Modeling, Organizations, password security requirements policy, Predictive Metrics, predictive security metrics, predictive security models, psychology, pubcrawl, quantitative security metrics, science of security, secure system, Security Audits, security breaches, security designs, security metrics, security of data, security researchers, social sciences, software metrics, system security, user behavior

Given the growing sophistication of cyber attacks, designing a perfectly secure system is not generally possible. Quantitative security metrics are thus needed to measure and compare the relative security of proposed security designs and policies. Since the investigation of security breaches has shown a strong impact of human errors, ignoring the human user in computing these metrics can lead to misleading results. Despite this, and although security researchers have long observed the impact of human behavior on system security, few improvements have been made in designing systems that are resilient to the uncertainties in how humans interact with a cyber system. In this work, we develop an approach for including models of user behavior, emanating from the fields of social sciences and psychology, in the modeling of systems intended to be secure. We then illustrate how one of these models, namely general deterrence theory, can be used to study the effectiveness of the password security requirements policy and the frequency of security audits in a typical organization. Finally, we discuss the many challenges that arise when adopting such a modeling approach, and then present our recommendations for future work.

Citation Keynoureddine_accounting_2017