Communications - April 2008 - Departments (Page 40)

and consider the choices given to them.

Catch corporate security policy violators. Increasing the awareness of risk could also mean increasing the likelihood that a corporate user is caught violating security policy. Having a corporate security policy that is not monitored or enforced is tantamount to having laws but no police. If the security systems have good auditing capabilities and are watched by event monitoring systems, users who make poor security decisions could be “caught” in a way. This would serve as an immediate negative consequence by itself. Like automated systems at traffic lights that snap pictures and issue violations to drivers that run red lights, users who make poor security decisions could receive automated email notifications of their actions and the corporate policy or safe computing practice. In general, the best deterrent to breaking the rules is not the severity of consequences but the likelihood of being caught.

Reduce the cost of implementing security. Obviously, if users need to take additional steps to increase their level of security, they will be less likely to do so. As the cost of implementing security increases, the overall value of the decision decreases. To accomplish a task, users often seek the path of least resistance that satisfies the primary goal. It should be common knowledge that in making the secure choice the easiest for the user to implement, one takes advantage of normal user behavior and gains compliance.

Another way to reduce the cost of security is, of course, to employ secure default settings. Most users never change the default settings of their applications. In this way, one increases the cost to make non-secure decisions in terms of time and effort. While good default settings can increase security, system designers must be careful that users do not find an easier way to slip around them. For example, users who are directed by their IT departments to use strong passwords across multiple systems are more likely to write them down [ 1].

CONCLUSION

Core to security on an everyday basis is the compliance of the end user, but how do we get them to make good decisions when they are often the weakest link in the chain? Users must be less motivated to choose anti-security options and more motivated to choose pro-security options. Obviously, no one would suggest training end users with USB devices that deliver an electric shock or food pellet reward based on their actions. But, generally speaking, we can increase compliance if we work with the psychological principles that drive behavior.

The ideal security user experience for most users

would be none at all. The vast majority would be content to use computers to enrich their lives while taking for granted a perfectly secure and reliable infrastructure that makes it all possible. Security only becomes a priority for many when they have problems with it. However, now, and in the foreseeable future, users are in the control loop. We must design systems with an understanding that, at some point, must make a decision regarding security. The question is, what will they decide? ^c

REFERENCES

1. Adams, A. and Sasse, A. S. Users are not the enemy. Commun. ACM 42, (1999) 40– 46.

2. Borgida, E., and Nisbett, R.E. The differential impact of abstract vs. concrete information on decisions. J. Applied Social Psychology 7 (1977) 258–271.

3. Dhamija, R., Tygar, J.D., and Hearst, M. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, Apr. 22– 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. ACM, New York, 581–590.

4. Downs, J.S., Holbrook, M., and Cranor, L.F. Behavioral response to phishing risk. In Proceedings of the Anti-Phishing Working Groups 2nd Annual Ecrime Researchers Summit (Pittsburgh, PA, Oct. 4– 5, 2007). ACM, New York, 37– 44.

5. Greenwald, S.J., Olthoff, K.G., Raskin, V., and Ruch, W. The user non-acceptance paradigm: INFOSEC’s dirty little secret. New Security Paradigms Workshop, 35– 43. ACM, New York.

6. Slovic, P., Fischhoff, B., and Lichtenstein, S. Facts versus fears: Understanding perceived risks. Judgment under Uncertainty: Heuristics and Biases. D. Kahneman, P. Slovic, and A. Tversky, eds. Cambridge University Press, New York, 1986, 463-489.

7. Smetters, D.K. and Grinter, R.E. Moving from the design of usable security technologies to the design of useful secure applications. New Security Paradigms Workshop. ACM, New York, 2002, 82– 89.

8. Tversky, A. and Kahneman, D. Rational choice and the framing of decisions. J. Business 59 (1986), 251–278.

9. Whitten, A. and Tygar J.D. Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium (1999). USENIX Association, Berkeley, CA, 169–184.

10. Wright, P. The harassed decision maker: Timer pressure, distractions, and the use of evidence. J. Applied Psychology 59, (1974), 555–561.

11. Yee, K.P. User interaction design for secure systems. Proceedings of the 4th International Conference on Information and Communications Security. Springer-Verlag, London, 2002.

12. Zurko, M.E. and Simon, R.T. User-centered security. New Security Paradigms Workshop. ACM, New York, 27– 33.

RYAN WEST ( ryan.west@acm.org) has conducted academic research in risk and decision making and applied research in areas ranging from medical mistakes to computer security. He currently works as a design researcher at Dell, Inc., Austin, TX.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.