Accounting for the Human User in Predictive Security Models
| Title | Accounting for the Human User in Predictive Security Models |
| Publication Type | Conference Paper |
| Year of Publication | 2017 |
| Authors | Noureddine, M. A., Marturano, A., Keefe, K., Bashir, M., Sanders, W. H. |
| Conference Name | 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing (PRDC) |
| ISBN Number | 978-1-5090-5652-1 |
| Keywords | accounting, Computational modeling, Computer crime, computer security, Computer simulation, Computers, Computing Theory, Cyber Attacks, cyber system, General Deterrence Theory, Human Behavior, human factors, human user, Measurement, Metrics, Modeling, Organizations, password security requirements policy, Predictive Metrics, predictive security metrics, predictive security models, psychology, pubcrawl, quantitative security metrics, science of security, secure system, Security Audits, security breaches, security designs, security metrics, security of data, security researchers, social sciences, software metrics, system security, user behavior |
| Abstract | Given the growing sophistication of cyber attacks, designing a perfectly secure system is not generally possible. Quantitative security metrics are thus needed to measure and compare the relative security of proposed security designs and policies. Since the investigation of security breaches has shown a strong impact of human errors, ignoring the human user in computing these metrics can lead to misleading results. Despite this, and although security researchers have long observed the impact of human behavior on system security, few improvements have been made in designing systems that are resilient to the uncertainties in how humans interact with a cyber system. In this work, we develop an approach for including models of user behavior, emanating from the fields of social sciences and psychology, in the modeling of systems intended to be secure. We then illustrate how one of these models, namely general deterrence theory, can be used to study the effectiveness of the password security requirements policy and the frequency of security audits in a typical organization. Finally, we discuss the many challenges that arise when adopting such a modeling approach, and then present our recommendations for future work. |
| URL | http://ieeexplore.ieee.org/document/7920638/ |
| DOI | 10.1109/PRDC.2017.58 |
| Citation Key | noureddine_accounting_2017 |
- security breaches
- predictive security metrics
- predictive security models
- psychology
- pubcrawl
- quantitative security metrics
- Science of Security
- secure system
- Security Audits
- Predictive Metrics
- security designs
- Security Metrics
- security of data
- security researchers
- social sciences
- software metrics
- system security
- User behavior
- General Deterrence Theory
- Computational modeling
- Computer crime
- computer security
- Computer simulation
- Computers
- Computing Theory
- Cyber Attacks
- cyber system
- accounting
- Human behavior
- Human Factors
- human user
- Measurement
- Metrics
- modeling
- Organizations
- password security requirements policy