Addressing Human Behavior in Cyber Security

Transcription

1 Addressing Human Behavior in Cyber Security Image: Sileo.com Michael Orosz, Ph.D. USC Information Sciences Institute

2 This discussion is proudly sponsored through a partnership between AFCEA, IEEE Computer Society, and IEEE Security & Privacy Magazine

3 Who We Are Founded in 1972 as a spin-off from the Rand Corporation A component of the USC Viterbi School of Engineering Locations: Marina del Rey, CA and Arlington, VA Pioneering work in establishing the Internet (e.g., DNS) Cyber-security research (examples): DETER cyber test bed (funded by DHS, NSF and DARPA) Smart Grid cyber-security (DoE and LADWP funded) Behavior-driven cyber security (NSF)

4 Review: Cyber Security is about Balance Cyber security is increasingly seen as the management of economic trade-offs Losses from actual attacks Monetary costs Psychological costs due to loss of privacy Loss of opportunity Costs of threat/attack mitigation mechanisms Monetary costs Degradation of performance and productivity Intrusion

5 Cyber Security is a socio-technical problem Traditional cyber security focuses on technical side of the problem Cyber security is socio-technical issue: it relies on technology and humans Security of a system or network is as secure as it s weakest link which typically falls on the human side of the equation Successful design, implementation, and enforcement of security requires understanding of interplay of social and technological issues

6 Recent Headlines 70M+ customers comprised Syrian Electronic Army

7 Why humans are the weakest link? Poor mental models of security due to the complexity of security systems Bounded rationality Use a set of heuristics as mental short cuts in security decision making Heuristics, e.g., Availability heuristic Biases, e.g., Confirmation bias Security trade-offs that can be evaluated incorrectly: 1. Severity of the risk 2. Probability of the risk 3. Magnitude of the costs 4. Effectiveness of countermeasure 5. Ability to correctly consider trade-offs

8 We Don t Understand I have nothing to lose or hide I can easily recover from a cyberattack We re a small company, no one cares about us I m not connected to the digital world

9 Attacker: Greed, power, access, the thrill of it, etc. The rest: Lazy, uninformed, confused, overwhelmed, etc. Motivations

10 Research Questions Why does the behavior of various actors diverge from rationality? Can we leverage this knowledge to increase cybersecurity? What factors influence decision making for actors? How can we address the gaps between optimum and actual actions? How can we take address attackers who take advantage of the gaps between perceived and actual risk?

11 Actors Attackers: malicious actors who are focused on compromising and/or gaining access to a cyber system for various reasons Defenders: non-malicious actors - those who intend to maintain the security of a system (e.g., IT personnel, security, etc.) End-users: actors whose behavior/attitudes are indifferent to system security but do not intend to attack the system

12 Research thrust 1: Decision Analysis Modeling of Users, Attackers, and Defenders Increase our understanding of how humans process risk and apply heuristics to think about security we can learn how to override our natural tendencies and make better security trade-offs. Increase our understanding of how malicious actors can take advantage of cognitive biases e.g., to make people feel more secure than they actually are to achieve their goals Better understand how attackers actually behave (risk taking behavior and decision heuristics) ensure that the best technologies for threat prevention, detection, analysis, and mitigation are created. potential to reduce costs by implementing more targeted monitoring and protection.

13 Interactions between players in the adversarial cyber security game To better understand the linkages between the stakeholders, we consider technological as well psychosocial aspects of the interactions.

14 Research thrust 2: Integrate Psychosocial Components into Cyber Security Goal: understand, model, and integrate the psychosocial aspects in the design of effective human-centered security mechanisms. Research questions: 1. Investigate to what extent the psychosocial characteristics of human-to-human interactions are evident in humancomputer interactions relevant to cyber security. 2. Under which conditions the social preferences have important effects on cyber security? In particular, in what cases should the interaction resemble human-tohuman communication in order to encourage the preferences beneficial to cyber security? 3. What is the best way to model and utilize these preferences?

15 Subject Matter Experts Address Attackers, Defenders and End- Users Answer questions such as: What motivates an attacker to undertake a cyberattack? Why a particular attack vector is taken? How do attackers assess risk? IT Department At what threshold does an attacker determine that risk is too high? Why do defenders take the actions they take in implementing counter-measures? How do defenders access risk?

16 Working with SMEs Surveys SMEs will be asked to take part in periodic (several per year) on-line surveys issued by project personnel Expert elicitations One-on-one discussions (several per year) between SMEs and project personnel Approximately 1-2 hours in length Process Minimize impact on SME s time Based on surveys and discussions, project team will develop initial models of actor behavior and various scenarios for each of the actors SMEs will be presented with models/scenarios to help with validation

17 Thank You Image: kattoons.com