Addressing Human Behavior in Cyber Security



Similar documents
EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

U.S. Army Research, Development and Engineering Command. Cyber Security CRA Overview

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

How To Write A Book On Risk Management

Lessons from Defending Cyberspace

September 20, 2013 Senior IT Examiner Gene Lilienthal

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Research Topics in the National Cyber Security Research Agenda

TUSKEGEE CYBER SECURITY PATH FORWARD

Perspectives on Cybersecurity in Healthcare June 2015

Panel Session: Lessons Learned in Smart Grid Cybersecurity

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

US Federal Cyber Security Research Program. NITRD Program

WRITTEN TESTIMONY OF

Testimony of. Before the United States House of Representatives Committee on Oversight and Government Reform And the Committee on Homeland Security

BlacKnight. Cyber Security international A BUSINESS / MARKETING PRESENTATION

Cyber Security and Privacy - Program 183

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

Business Continuity for Cyber Threat

The Comprehensive National Cybersecurity Initiative

How To Write A Cybersecurity Framework

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

U. S. Attorney Office Northern District of Texas March 2013

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

An Overview of Large US Military Cybersecurity Organizations

Cybersecurity The role of Internal Audit

Modelling cyber-threats in the Airport domain: a case study from the SECONOMICS project. Alessandra Tedeschi, Deep Blue S.r.

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

ICS CP/PE (Cyber-to-Physical or Process Effects) case study paper German Steel Mill Cyber Attack

Partnership for Cyber Resilience

idata Improving Defences Against Targeted Attack

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Enhancement Account. FY 2017 President s Budget

No Free Lunch in Cyber Security

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

SDN Security Challenges. Anita Nikolich National Science Foundation Program Director, Advanced Cyberinfrastructure July 2015

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

ICT SECURITY SECURE ICT SYSTEMS OF THE FUTURE

William Hery Research Professor, Computer Science and Engineering NYU-Poly

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Overcoming Five Critical Cybersecurity Gaps

SECURE AND TRUSTWORTHY CYBERSPACE (SaTC)

Who s Doing the Hacking?

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Into the cybersecurity breach

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Understanding the NIST Cybersecurity Framework September 30, 2014

For More Information

How To Improve Federal Network Security

Active Learning with the CyberCIEGE Video Game

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

Cyber Intrusions: More than an IT Challenge

Meeting Cyber Security Challenges

Train Like You Will Fight

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

How To Protect Your Data From Being Hacked

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Combating a new generation of cybercriminal with in-depth security monitoring

Actions and Recommendations (A/R) Summary

Some Thoughts on the Future of Cyber-security

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative

Risk Management Handbook

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Middle Class Economics: Cybersecurity Updated August 7, 2015

Defending Against Data Beaches: Internal Controls for Cybersecurity

CYBERSPACE SECURITY CONTINUUM

Transcription:

Addressing Human Behavior in Cyber Security Image: Sileo.com Michael Orosz, Ph.D. USC Information Sciences Institute

This discussion is proudly sponsored through a partnership between AFCEA, IEEE Computer Society, and IEEE Security & Privacy Magazine

Who We Are Founded in 1972 as a spin-off from the Rand Corporation A component of the USC Viterbi School of Engineering Locations: Marina del Rey, CA and Arlington, VA Pioneering work in establishing the Internet (e.g., DNS) Cyber-security research (examples): DETER cyber test bed (funded by DHS, NSF and DARPA) Smart Grid cyber-security (DoE and LADWP funded) Behavior-driven cyber security (NSF)

Review: Cyber Security is about Balance Cyber security is increasingly seen as the management of economic trade-offs Losses from actual attacks Monetary costs Psychological costs due to loss of privacy Loss of opportunity Costs of threat/attack mitigation mechanisms Monetary costs Degradation of performance and productivity Intrusion

Cyber Security is a socio-technical problem Traditional cyber security focuses on technical side of the problem Cyber security is socio-technical issue: it relies on technology and humans Security of a system or network is as secure as it s weakest link which typically falls on the human side of the equation Successful design, implementation, and enforcement of security requires understanding of interplay of social and technological issues

Recent Headlines 70M+ customers comprised Syrian Electronic Army

Why humans are the weakest link? Poor mental models of security due to the complexity of security systems Bounded rationality Use a set of heuristics as mental short cuts in security decision making Heuristics, e.g., Availability heuristic Biases, e.g., Confirmation bias Security trade-offs that can be evaluated incorrectly: 1. Severity of the risk 2. Probability of the risk 3. Magnitude of the costs 4. Effectiveness of countermeasure 5. Ability to correctly consider trade-offs

We Don t Understand I have nothing to lose or hide I can easily recover from a cyberattack We re a small company, no one cares about us I m not connected to the digital world

Attacker: Greed, power, access, the thrill of it, etc. The rest: Lazy, uninformed, confused, overwhelmed, etc. Motivations

Research Questions Why does the behavior of various actors diverge from rationality? Can we leverage this knowledge to increase cybersecurity? What factors influence decision making for actors? How can we address the gaps between optimum and actual actions? How can we take address attackers who take advantage of the gaps between perceived and actual risk?

Actors Attackers: malicious actors who are focused on compromising and/or gaining access to a cyber system for various reasons Defenders: non-malicious actors - those who intend to maintain the security of a system (e.g., IT personnel, security, etc.) End-users: actors whose behavior/attitudes are indifferent to system security but do not intend to attack the system

Research thrust 1: Decision Analysis Modeling of Users, Attackers, and Defenders Increase our understanding of how humans process risk and apply heuristics to think about security we can learn how to override our natural tendencies and make better security trade-offs. Increase our understanding of how malicious actors can take advantage of cognitive biases e.g., to make people feel more secure than they actually are to achieve their goals Better understand how attackers actually behave (risk taking behavior and decision heuristics) ensure that the best technologies for threat prevention, detection, analysis, and mitigation are created. potential to reduce costs by implementing more targeted monitoring and protection.

Interactions between players in the adversarial cyber security game To better understand the linkages between the stakeholders, we consider technological as well psychosocial aspects of the interactions.

Research thrust 2: Integrate Psychosocial Components into Cyber Security Goal: understand, model, and integrate the psychosocial aspects in the design of effective human-centered security mechanisms. Research questions: 1. Investigate to what extent the psychosocial characteristics of human-to-human interactions are evident in humancomputer interactions relevant to cyber security. 2. Under which conditions the social preferences have important effects on cyber security? In particular, in what cases should the interaction resemble human-tohuman communication in order to encourage the preferences beneficial to cyber security? 3. What is the best way to model and utilize these preferences?

Subject Matter Experts Address Attackers, Defenders and End- Users Answer questions such as: What motivates an attacker to undertake a cyberattack? Why a particular attack vector is taken? How do attackers assess risk? IT Department At what threshold does an attacker determine that risk is too high? Why do defenders take the actions they take in implementing counter-measures? How do defenders access risk?

Working with SMEs Surveys SMEs will be asked to take part in periodic (several per year) on-line surveys issued by project personnel Expert elicitations One-on-one discussions (several per year) between SMEs and project personnel Approximately 1-2 hours in length Process Minimize impact on SME s time Based on surveys and discussions, project team will develop initial models of actor behavior and various scenarios for each of the actors SMEs will be presented with models/scenarios to help with validation

Thank You Image: kattoons.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information