Human Error in Cyber Security
-
Upload
antti-ollila -
Category
Internet
-
view
295 -
download
0
Transcript of Human Error in Cyber Security
![Page 1: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/1.jpg)
Literature Review
Antti Ollila 24.2.2016KOG520University of Jyväskylä
![Page 2: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/2.jpg)
Computers…◦ …are logical
◦ …are bad at making informed decisions
◦ …do not make mistakes
◦ …are designed, operated, built and maintained…
◦ … by humans
(Saariluoma 2013, TJTA103 opening lecture)
![Page 3: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/3.jpg)
Humans can be…◦ …unskilled
◦ …taking unnecessary risks
◦ …careless
◦ …tired, sick, etc.
Humans are needed to make technology work
(Saariluoma 2013, TJTA103 opening lecture)
![Page 4: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/4.jpg)
Happens everywhere◦ and all the time
Email to wrong recipient
Cashier giving too much change
More complexity, bigger impact◦ UK: disclosed personal information on 25m citizens
◦ Italy: Costa Concordia
◦ Finland: Nokia Water Crisis
![Page 5: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/5.jpg)
3rd most significant threat in 2003(Whitman)
46% of cyber security incidents in UK 2011-2012(Lee)
Weakest link in the cyber security chain
Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91-95.
Lee, M. G. (2012, October). Securing the human to protect the system: Human factors in cyber security. In System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on (pp. 1-5). IET.
![Page 6: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/6.jpg)
Google Scholar, IEEEXplore, sciencedirect◦ ”Cyber Security Human Error”
◦ ”Cyber Security Human Factor”
◦ ”Usable Security”
◦ ”Cyber Security Usability”
◦ Years 2010-2016
Forward searching from articles found or read before
![Page 7: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/7.jpg)
Toward Automated Reduction of Human Errors based on Cognitive Analysis (Miyamoto, D. & Takahashi, T. 2013)
Securing the Human to Protect the System: Human Factors in Cyber Security (Lee, M.G. 2012)
Measuring the Human Factor of Cyber Security (Bowen et al. 2011)
Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness (Akhawe, D. & Felt, A. P. 2013)
Guidelines for Usable Cybersecurity: Past and Present(Nurse et al. 2011)
![Page 8: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/8.jpg)
Framework to gather data to understand human error
Less biased than questionnaires
Cognitive psychology◦ Monitor eye movement and facial skin temperature
when performing tasks
![Page 9: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/9.jpg)
Well-Meaning Insider◦ slips
◦ lapses
◦ mistakes
Malicious Insider◦ violations
Malicious Outsider
46% by well-meaning insiders, 17% violations
![Page 10: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/10.jpg)
Training system to prevent phishing
Generates phishing emails and tracks the success rate
In test group(2000 university students and staff) no successful phishing attempts after 4 iterations
![Page 11: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/11.jpg)
Study on browser warning messages
Sample of ~25m interactions
Malware warnings◦ 7.2% Firefox, 23.2% Chrome
Good design can increase security
![Page 12: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/12.jpg)
Too complex security systems might lead to weakened security
19 design guidelines for better usability
Usability and Security do not have to be seen as competing system goals
![Page 13: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/13.jpg)
Security is rarely primary task
Not everyone is a security specialist◦ And also the experts make errors
Human error is significant threat to information security...
...but it can be mitigated to some extent by design and training
![Page 14: Human Error in Cyber Security](https://reader031.fdocuments.net/reader031/viewer/2022022201/588a09dc1a28ab132f8b4925/html5/thumbnails/14.jpg)
”Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems”
-Kevin Mitnick