Given the diverse and complex nature of computer security, a natural response of the academic and industrial community has been to study how one can create technical solutions to the problem. Although the technical solutions to various problems can be quite effective, the underlying premise of many of the solutions is predicated upon an informed awareness of the user of the importance of avoiding risky behavior. While there has been considerable rigor undertaken with regards to the evaluation of the efficacy of the various technical approaches, the human aspect of computer security has received relatively minor attention with largely cursory / anecdotal evaluation.
The unfortunate result of this lack of rigorous scientific data is the use of under-funded and ad hoc awareness security awareness initiatives that offer limited benefit to the security of the enterprise. This work will leverage the unique aspects of the university-environment to conduct a multi-scale (time, observation group, data granularity) formal set of experiments regarding the efficacy of security awareness techniques. Moreover, the inter-disciplinary effort will bring to bear the application of formal experiments to explore the usage of negative, positive, and targeted communication interventions drawn from theoretical considerations of existing criminology, psychology, and information system literature.
Stated in an alternative manner, organizations dedicate significant financial and human resources to information security awareness programs designed to raise user knowledge about safe computing practices and information security risks. Unfortunately, despite the fact that many organizations are expending significant resources on awareness, organizations have little if any guidance or scientific evidence to construct effective strategies. Should strategies focus on positive or negative strategies? Are post cards or hallway posters or training classes more effective? Are awareness campaign effects temporary or long term? The focus of this work will be to provide that rigorous scientific basis by exploring how effective awareness techniques are in the "wild" of the university environment, unimpeded by normal network security controls. A key broader impact of the work will be the creation of basic guidelines for the construction of security awareness programs. The net result will be dramatically improved cost efficiency of security awareness techniques and hence, significant improvement in the national cyber-security infrastructure.
|