Human Behaviour and Security Compliance

Transcription

1 Human Behaviour and Security Compliance M. Angela Sasse University College London, UK Research Institute for Science of Cyber Security Academic Centre of Excellence for Cyber Security Research

2 Overview 1. Why do employees not comply with security policies? 2. How can organisations improve security compliance? 1. Decide what you want. Compliance? Or Security? 2. Understand what you are asking employees to do. 3. Reduce friction better design. And improve productivity in the process! 4. Engage employees from passive compliance to active participation.

3 The image part with relationship ID rid2 was not found in the file. Background 1996: Usability study to explain password security (with Anne Adams) Published in 1999: Users Are Not the Enemy Also 1999: Whitten & Tygar Why Johnny can t encrypt Started research in usable security Adams & Sasse CACM 1999

4 Has it made a difference in practice? Consider authentication: Nielsen (2000) said that biometrics are highly usable and would replace passwords. Schneier (2000) and Gates (2004) predicted that passwords would become obsolete. Instead: People have more passwords. Longer ones. They write down, store, re-use and re-cycle passwords. They have to think up and recall back-up credentials for passwords. And solve a CAPTCHA before they are allowed to attempt to remember them.

5 Allendoerfer & Pai (2005): Human Factors Considerations for Passwords and Other User Identification Techniques. US DOT/FAA/CT- 05/20

6 Designing better security mechanisms 1. Fitting the system around the human (90% of the time bending human to fit the task (10%) 2. Security is a secondary task it should create as little additional workload and disruption as possible 3. More complex than what s easy to remember - It Depends : on specific user characteristics (universal access), frequency of use, interference physical and social context of use characteristics of the device (Sasse et al., 2001)

7 Usable authentication Authenticate users when needed but minimize the effort it requires from them Move from explicit to implicit authentication let technology do the work Learning from e-commerce: recognize users through cookies, history/patterns, etc. Using tokens or biometrics Exploit modality of interaction touch on touchscreens, video, audio Maximize the benefits for users and/or organizations productive security

8 Security people don t track long-term impact of their policies Such as - employees not using corporate laptops stop logging in from home not collaborating with externals leaving the organization and the vulnerabilities created by workarounds (e.g password sharing, mouse jigglers) bad general security perceptions and habits

9 Glossy brochure of UK railway company complete with passwords on whiteboard

10 Usability Makes Economic Sense Workshop on Economics of Security (WEIS), founded by Ross and Anderson and Bruce Schneier, is now 10 years old Security people value users time at zero. (Herley NSPW 2009)

11 The Compliance Budget Beautement et al. 2008

12 Example dashboard interface for CISOs Parkin et al. 2010

13 Cost of security measures Pallas 2008 Meta- Measure Architect. Means Formal Rules Informal Rules Initial Costs (once) high Enforcement Costs none / negligible Loss from noncompliance none / negligible low high high medium low (spont.) high

14 Don t isolate, integrate Challenger & Clegg (2011)

15 Engage employees to achieve culture change 1 Semi-structured interviews with vertical cross section of the target organisation 2 Scenario-based survey, based on interview analysis, that assesses responses to conflict situations 3 Work with organisation to determine strategy and capability 4 Select optimal intervention, targeting appropriate sociotechnical factor(s) 5 Develop and utilise metrics to measure change in security behaviour and levels of compliance

16 Jason is an XY Commercial Analyst and is currently involved in an important project that requires him to present progress updates to clients, often in offsite locations. He would normally use his laptop to take presentations to clients, but his laptop developed a problem and is currently with maintenance. He decides to use an encrypted USB memory stick to transfer the required files to the client site. Shortly before he is due to leave for the meeting, Jason realises he lent his encrypted USB stick to a colleague. He knows he will not get a replacement at such short notice, but needs some way to transfer information. The presentation includes embedded media and is too large to , and he cannot access the internal network from the client s site.

17 Option A: Take the required data on an unencrypted USB stick - you have one to hand. Option B: Borrow an encrypted stick from a colleague. You would have to also make a note of their password so you can access the data at the client's site. The colleague had asked that you do not share / erase the confidential data already on the stick. Option C: An employee of the client has been visiting XY and is due to travel back with you. Use the available unencrypted USB stick to put a copy of the data onto their laptop and ask them to take it to the client's site. Option D: Upload the files to a public online data storage service and recover them at the client's site.

18 Behavior Types Type 1: Least compliant disregard policy to maximize productivity in case of any friction Type 2: Partly compliant - condone insecure behavior in case of friction, expect others to take care of security Type 3: Largely compliant try to comply, but occasionally prioritize productivity over security; prepared to take action if cost to themselves is low Type 4: Mostly compliant try to put security first, prepared to take action themselves Most frequent behaviour types were 3 and 4

19 Attitude types Type 1: Discount suspicions, cause no bother, passive Type 2: Report suspicions if easy to do, take no direct personal action Type 3: Report suspicions through prescribed channels, take no personal direct action Type 4: Take direct personal action against the threat Most frequent attitude types were 2 and 3

20 Analysis of free-text responses Overwhelming number suggested more secure workarounds (alternatives to options offered) but 97% of suggestions were not secure Large number of justifications for workarounds Less than 10% mentioned benefits of security policies and mechanisms

21 Other interventions Reporting point for issues and debating them openly Targeted campaigns for specific issues New forms of training better integrated, reminders Integration with safety, sustainability how do we Do the Right Thing in all of these?

22 Obstacle security = unproductive security

23 Security that supports user goals

24 Engagement next stages Target specific areas of non-compliance Design Communication- change the discourse Leadership Measure changes in behaviour build on what works,