Literature Review Antti Ollila 24.2.2016 KOG520 University of Jyväskylä
Literature Review
Antti Ollila 24.2.2016KOG520University of Jyväskylä
Computers…◦ …are logical
◦ …are bad at making informed decisions
◦ …do not make mistakes
◦ …are designed, operated, built and maintained…
◦ … by humans
(Saariluoma 2013, TJTA103 opening lecture)
Humans can be…◦ …unskilled
◦ …taking unnecessary risks
◦ …careless
◦ …tired, sick, etc.
Humans are needed to make technology work
(Saariluoma 2013, TJTA103 opening lecture)
Happens everywhere◦ and all the time
Email to wrong recipient
Cashier giving too much change
More complexity, bigger impact◦ UK: disclosed personal information on 25m citizens
◦ Italy: Costa Concordia
◦ Finland: Nokia Water Crisis
3rd most significant threat in 2003(Whitman)
46% of cyber security incidents in UK 2011-2012(Lee)
Weakest link in the cyber security chain
Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91-95.
Lee, M. G. (2012, October). Securing the human to protect the system: Human factors in cyber security. In System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on (pp. 1-5). IET.
Google Scholar, IEEEXplore, sciencedirect◦ ”Cyber Security Human Error”
◦ ”Cyber Security Human Factor”
◦ ”Usable Security”
◦ ”Cyber Security Usability”
◦ Years 2010-2016
Forward searching from articles found or read before
Toward Automated Reduction of Human Errors based on Cognitive Analysis (Miyamoto, D. & Takahashi, T. 2013)
Securing the Human to Protect the System: Human Factors in Cyber Security (Lee, M.G. 2012)
Measuring the Human Factor of Cyber Security (Bowen et al. 2011)
Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness (Akhawe, D. & Felt, A. P. 2013)
Guidelines for Usable Cybersecurity: Past and Present(Nurse et al. 2011)
Framework to gather data to understand human error
Less biased than questionnaires
Cognitive psychology◦ Monitor eye movement and facial skin temperature
when performing tasks
Well-Meaning Insider◦ slips
◦ lapses
◦ mistakes
Malicious Insider◦ violations
Malicious Outsider
46% by well-meaning insiders, 17% violations
Training system to prevent phishing
Generates phishing emails and tracks the success rate
In test group(2000 university students and staff) no successful phishing attempts after 4 iterations
Study on browser warning messages
Sample of ~25m interactions
Malware warnings◦ 7.2% Firefox, 23.2% Chrome
Good design can increase security
Too complex security systems might lead to weakened security
19 design guidelines for better usability
Usability and Security do not have to be seen as competing system goals
Security is rarely primary task
Not everyone is a security specialist◦ And also the experts make errors
Human error is significant threat to information security...
...but it can be mitigated to some extent by design and training
”Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems”
-Kevin Mitnick