human error in cyber security

Literature Review

Antti Ollila 24.2.2016KOG520University of Jyväskylä

Computers…◦ …are logical

◦ …are bad at making informed decisions

◦ …do not make mistakes

◦ …are designed, operated, built and maintained…

◦ … by humans

(Saariluoma 2013, TJTA103 opening lecture)

Humans can be…◦ …unskilled

◦ …taking unnecessary risks

◦ …careless

◦ …tired, sick, etc.

Humans are needed to make technology work

(Saariluoma 2013, TJTA103 opening lecture)

Happens everywhere◦ and all the time

Email to wrong recipient

Cashier giving too much change

More complexity, bigger impact◦ UK: disclosed personal information on 25m citizens

◦ Italy: Costa Concordia

◦ Finland: Nokia Water Crisis

3rd most significant threat in 2003(Whitman)

46% of cyber security incidents in UK 2011-2012(Lee)

Weakest link in the cyber security chain

Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91-95.

Lee, M. G. (2012, October). Securing the human to protect the system: Human factors in cyber security. In System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on (pp. 1-5). IET.

Google Scholar, IEEEXplore, sciencedirect◦ ”Cyber Security Human Error”

◦ ”Cyber Security Human Factor”

◦ ”Usable Security”

◦ ”Cyber Security Usability”

◦ Years 2010-2016

Forward searching from articles found or read before

Toward Automated Reduction of Human Errors based on Cognitive Analysis (Miyamoto, D. & Takahashi, T. 2013)

Securing the Human to Protect the System: Human Factors in Cyber Security (Lee, M.G. 2012)

Measuring the Human Factor of Cyber Security (Bowen et al. 2011)

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness (Akhawe, D. & Felt, A. P. 2013)

Guidelines for Usable Cybersecurity: Past and Present(Nurse et al. 2011)

Framework to gather data to understand human error

Less biased than questionnaires

Cognitive psychology◦ Monitor eye movement and facial skin temperature

when performing tasks

Well-Meaning Insider◦ slips

◦ lapses

◦ mistakes

Malicious Insider◦ violations

Malicious Outsider

46% by well-meaning insiders, 17% violations

Training system to prevent phishing

Generates phishing emails and tracks the success rate

In test group(2000 university students and staff) no successful phishing attempts after 4 iterations

Study on browser warning messages

Sample of ~25m interactions

Malware warnings◦ 7.2% Firefox, 23.2% Chrome

Good design can increase security

Too complex security systems might lead to weakened security

19 design guidelines for better usability

Usability and Security do not have to be seen as competing system goals

Security is rarely primary task

Not everyone is a security specialist◦ And also the experts make errors

Human error is significant threat to information security...

...but it can be mitigated to some extent by design and training

”Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems”

-Kevin Mitnick