Effective Communication of Cyber Security Risks: Addressing the Human Element in Security Jason R.C. Nurse (PhD, MSc, BSc) Cyber Security Centre, Department.
Post on 17-Dec-2015
222 Views
Preview:
Transcript
Effective Communication of Cyber Security Risks:
Addressing the Human Element in Security
Jason R.C. Nurse (PhD, MSc, BSc)Cyber Security Centre, Department of Computer Science
University of Oxford, UK
7th International Scientific Conference Security and Protection of Information
22–24 May 2013 Trade Fairs Brno, Czech Republic
http://tease-project.info/
Open Day: 5 May 2012
Outline
Why focus on humans and not technology?
Addressing the human-related issues
Recommendations for communicating risks
Next steps…
2
Open Day: 5 May 2012
Outline
Why focus on humans and not technology?
Addressing the human-related issues
Recommendations for communicating risks
Next steps…
3
Open Day: 5 May 2012
Why focus on the human element?
Increase in attacks that exploit humans Spamming Phishing, spear phishing Social-engineering threats Malicious applications
4
Open Day: 5 May 2012
Why focus on the human element?
End-user systems tend not to design for usable security “Why Johnny can’t encrypt?” (1999) “It’s too complicated so I turned it off!” (2010) Countless other system examples…
Configuring home routers and firewalls
Forced to using complex passwords, that are to be changed monthly
5
Open Day: 5 May 2012
Why focus on the human element?
Usability also important for security professionals Task workload, time factors and increasing complexity of
security systems
6
Sax2 Intrusion Prevention and Intrusion Detection System screenshots of event viewers, typical interaction screens (http://www.ids-sax2.com)
Open Day: 5 May 2012
Why focus on the human element?
In summary, the problems… For end-users, security is usually a secondary goal Interfaces tend to be too confusing and clumsy Lack of quality feedback to users when performing security tasks Strain on users to remember several security settings, configurations / passwords Abundance of technical terminology Forcing uninformed security decisions on users For security professionals, interfaces are difficult to use Task workload and increasing complexity of security systems
7
Open Day: 5 May 2012
Outline
Why focus on humans and not technology?
Addressing the human-related issues
Recommendations for communicating risks
Next steps…
8
Open Day: 5 May 2012
Addressing the human element in security
Three-pronged approach How to building trust in interfaces and information? What are the key practices in designing for usable
security? How to effectively communicate cybersecurity risks to
end-users and security professionals?
9
Trust
UsabilityCybersecurity risk communication
Open Day: 5 May 2012
Addressing the human element in security
10
Trust
Usability Cybersecurity risk communication
Key factors: Interface and information presentation, relevance, supporting understanding, …
Inspiration from risk communication field – importance of format in presenting risk message, understanding user perceptions
Efficient interface design, supportuser decision-making, reduce use oftechnical jargon and always providehelp functionality, …
Open Day: 5 May 2012
Outline
Why focus on humans and not technology?
Addressing the human-related issues
Recommendations for communicating risks
Next steps…
11
Open Day: 5 May 2012
Recommendations for communicating risks
Planning how cybersecurity risks will be communicated is crucial. Be clear on the goal, messages and strategies most useful, and characteristics of typical system users
The meaning of information presented in security / risk messages should be clear. Information should be specific and unambiguous, or risks being disregarded
Users should be presented with clear and consistent directions for action i.e., options for responding to a security risk. Narratives might be provided in helping users to visualise outcome of decisions
12
http://i.msdn.microsoft.com/dynimg/IC107028.gif
Open Day: 5 May 2012
Recommendations for communicating risks
Design with the understanding that humans possess a limited processing capacity. Reduce cognitive effort. E.g., present key security / risk information first, optional details later
Make security functionality visible and accessible, while also making users aware of the system’s current security state.
Provide accessible help, advice and documentation for security.
13
Open Day: 5 May 2012
Recommendations for communicating risks
For visual communication of security risks, note (i) stick with established colours and use known real-world metaphors (ii) no single visual will be perfect in all situations, etc.
To communicate risks numerically, note, users with high-numeracy levels are likely to pay more attention to risk figures, while low-numerate users may rely more on emotions, mood states and guidance
When communicating risks verbally, may be best to use additional means (e.g., numbers) to adequately communicate the risk. “This site is likely to be malicious” – interpretation of likely is subjective
14
Enterasys Dragon: Intrusion Prevention System Log Analysis(http://blog.tmcnet.com/advanced-netflow-traffic-analysis/2012/12/enterasys-dragon-intrusion-prevention-system-log-analysis.html)
Open Day: 5 May 2012
Outline
Why focus on humans and not technology?
Addressing the human-related issues
Recommendations for communicating risks
Next steps…
15
Open Day: 5 May 2012
What’s next?
Evaluating recommendations Identification of case scenarios where recommendations
can be adequately assessed Development of a prototype system and/or add-on functionality (to
existing system, e.g., browser) in line which scenarios to supply practical basis for analysis
User studies to critically evaluate the trustworthiness and effectiveness of communications with and without recommendations proposed
16
Open Day: 5 May 2012
What’s next?
Crisis Management – Realising value from open-source information (e.g.,Twitter, Facebook, Blogs) 1
17
1 “Building Confidence in Information-Trustworthiness Metrics for Decision Support”, TrustCom 20132 “A Data-Reachability Model for Elucidating Privacy and Security Risks Related to the Use of Online Social Networks”, TrustCom 2012
Published research
Approach and model
Real name Risk exposure
Security and Privacy risks in the useof social media – understanding and communicating the serious risk faced by oversharing 2
Open Day: 5 May 2012
What’s next?
18
CyberVis – Visualise attacks on business processes 1
1 http://www.cs.ox.ac.uk/projects/cybervis/index.html2 http://ff.cx/nflowvis/3 http://securedecisions.com/products/meercat/4 http://5thsentinel.wordpress.com/2009/10/19/inappropriate-content-visualization-mark-ii/
Circos – Inappropriate content visualisation 4MeerCAT® – Visual tool for Wireless Security Analysis 3
NFlowVis – University's Computer Network Under Attack 2
Open Day: 5 May 2012
Conclusions
19
Reflected on why it’s important to focus on the human element of security
Three-pronged approach to addressing the issues Recommendations for effectively communicating
cybersecurity risk Next steps for our work
top related