SlideShare une entreprise Scribd logo

Human Error in Cyber Security

A
Antti Ollila

Literature review about human error in cyber security. Made for my user psychology course in the university.

Internet
1  sur  14
Télécharger pour lire hors ligne
Literature Review Antti Ollila 24.2.2016 KOG520 University of Jyväskylä
 Computers… ◦ …are logical ◦ …are bad at making informed decisions ◦ …do not make mistakes ◦ …are designed, operated, built and maintained… ◦ … by humans (Saariluoma 2013, TJTA103 opening lecture)
 Humans can be… ◦ …unskilled ◦ …taking unnecessary risks ◦ …careless ◦ …tired, sick, etc.  Humans are needed to make technology work (Saariluoma 2013, TJTA103 opening lecture)
 Happens everywhere ◦ and all the time  Email to wrong recipient  Cashier giving too much change  More complexity, bigger impact ◦ UK: disclosed personal information on 25m citizens ◦ Italy: Costa Concordia ◦ Finland: Nokia Water Crisis
 3rd most significant threat in 2003(Whitman)  46% of cyber security incidents in UK 2011- 2012(Lee)  Weakest link in the cyber security chain Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91-95. Lee, M. G. (2012, October). Securing the human to protect the system: Human factors in cyber security. In System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on (pp. 1-5). IET.
 Google Scholar, IEEEXplore, sciencedirect ◦ ”Cyber Security Human Error” ◦ ”Cyber Security Human Factor” ◦ ”Usable Security” ◦ ”Cyber Security Usability” ◦ Years 2010-2016  Forward searching from articles found or read before
 Toward Automated Reduction of Human Errors based on Cognitive Analysis (Miyamoto, D. & Takahashi, T. 2013)  Securing the Human to Protect the System: Human Factors in Cyber Security (Lee, M.G. 2012)  Measuring the Human Factor of Cyber Security (Bowen et al. 2011)  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness (Akhawe, D. & Felt, A. P. 2013)  Guidelines for Usable Cybersecurity: Past and Present (Nurse et al. 2011)
 Framework to gather data to understand human error  Less biased than questionnaires  Cognitive psychology ◦ Monitor eye movement and facial skin temperature when performing tasks
 Well-Meaning Insider ◦ slips ◦ lapses ◦ mistakes  Malicious Insider ◦ violations  Malicious Outsider  46% by well-meaning insiders, 17% violations
 Training system to prevent phishing  Generates phishing emails and tracks the success rate  In test group(2000 university students and staff) no successful phishing attempts after 4 iterations
 Study on browser warning messages  Sample of ~25m interactions  Malware warnings ◦ 7.2% Firefox, 23.2% Chrome  Good design can increase security
 Too complex security systems might lead to weakened security  19 design guidelines for better usability  Usability and Security do not have to be seen as competing system goals
 Security is rarely primary task  Not everyone is a security specialist ◦ And also the experts make errors  Human error is significant threat to information security...  ...but it can be mitigated to some extent by design and training
 ”Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems” -Kevin Mitnick

Recommandé

Expressworks Perspective on Human Behavior and Cyber Security
Expressworks Perspective on Human Behavior and Cyber SecurityExpressworks Perspective on Human Behavior and Cyber Security
Expressworks Perspective on Human Behavior and Cyber SecurityExpressworks International
 
Human Factor on Information Security -- Origin of Information Leakage
Human Factor on Information Security -- Origin of Information LeakageHuman Factor on Information Security -- Origin of Information Leakage
Human Factor on Information Security -- Origin of Information LeakageToru Nakata
 
20 tips for information security around human factors and human error
20 tips for information security around human factors and human error20 tips for information security around human factors and human error
20 tips for information security around human factors and human errorToru Nakata
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutMarc Vael
 
Austin Bsides March 2016 Cyber Presentation
Austin Bsides March 2016 Cyber PresentationAustin Bsides March 2016 Cyber Presentation
Austin Bsides March 2016 Cyber PresentationExpressworks International
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security TrainingAngela Samuels
 
Network Security for Employees
Network Security for Employees Network Security for Employees
Network Security for Employees OPSWAT
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.CAS
 

Recommandé

Expressworks Perspective on Human Behavior and Cyber Security
Expressworks Perspective on Human Behavior and Cyber SecurityExpressworks Perspective on Human Behavior and Cyber Security
Expressworks Perspective on Human Behavior and Cyber SecurityExpressworks International
 
Human Factor on Information Security -- Origin of Information Leakage
Human Factor on Information Security -- Origin of Information LeakageHuman Factor on Information Security -- Origin of Information Leakage
Human Factor on Information Security -- Origin of Information LeakageToru Nakata
 
20 tips for information security around human factors and human error
20 tips for information security around human factors and human error20 tips for information security around human factors and human error
20 tips for information security around human factors and human errorToru Nakata
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutMarc Vael
 
Austin Bsides March 2016 Cyber Presentation
Austin Bsides March 2016 Cyber PresentationAustin Bsides March 2016 Cyber Presentation
Austin Bsides March 2016 Cyber PresentationExpressworks International
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security TrainingAngela Samuels
 
Network Security for Employees
Network Security for Employees Network Security for Employees
Network Security for Employees OPSWAT
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.CAS
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesSlideTeam
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Enterprise Management Associates
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderBen Johnson
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employeesPriscila Bernardes
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness trainingSandeep Taileng
 
Eliminating Security Uncertainty
Eliminating Security UncertaintyEliminating Security Uncertainty
Eliminating Security UncertaintyDell World
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?Nex-Tech
 
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad AndrewsNorth Texas Chapter of the ISSA
 
Security Firm Program - Corporate College
Security Firm Program - Corporate CollegeSecurity Firm Program - Corporate College
Security Firm Program - Corporate CollegeWorkSmart Integrated Marketing
 
University-of-Miami_MEDINA
University-of-Miami_MEDINAUniversity-of-Miami_MEDINA
University-of-Miami_MEDINAKelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security AwarenessThe Network Support Company
 
User security awareness
User security awarenessUser security awareness
User security awarenessK. A. M Lutfullah
 
Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-bBbAOC
 
Managing insider threat
Managing insider threatManaging insider threat
Managing insider threatmilliemill
 
Cybersafety basics.ppt cs
Cybersafety basics.ppt csCybersafety basics.ppt cs
Cybersafety basics.ppt csVinay Soni
 
Infosec IQ - Anti-Phishing & Security Awareness Training
Infosec IQ - Anti-Phishing & Security Awareness TrainingInfosec IQ - Anti-Phishing & Security Awareness Training
Infosec IQ - Anti-Phishing & Security Awareness TrainingDavid Alderman
 
In defence of the human factor
In defence of the human factorIn defence of the human factor
In defence of the human factorCiarán Mc Mahon
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
Senior Seminar Paper
Senior Seminar PaperSenior Seminar Paper
Senior Seminar PaperAnthony Orton Jr
 

Contenu connexe

Tendances

Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesSlideTeam
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Enterprise Management Associates
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderBen Johnson
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employeesPriscila Bernardes
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness trainingSandeep Taileng
 
Eliminating Security Uncertainty
Eliminating Security UncertaintyEliminating Security Uncertainty
Eliminating Security UncertaintyDell World
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?Nex-Tech
 
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad AndrewsNorth Texas Chapter of the ISSA
 
Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-bBbAOC
 
Managing insider threat
Managing insider threatManaging insider threat
Managing insider threatmilliemill
 
Cybersafety basics.ppt cs
Cybersafety basics.ppt csCybersafety basics.ppt cs
Cybersafety basics.ppt csVinay Soni
 
Infosec IQ - Anti-Phishing & Security Awareness Training
Infosec IQ - Anti-Phishing & Security Awareness TrainingInfosec IQ - Anti-Phishing & Security Awareness Training
Infosec IQ - Anti-Phishing & Security Awareness TrainingDavid Alderman
 

Tendances (19)

Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation Slides
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness training
 
Eliminating Security Uncertainty
Eliminating Security UncertaintyEliminating Security Uncertainty
Eliminating Security Uncertainty
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?
 
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
 
Security Firm Program - Corporate College
Security Firm Program - Corporate CollegeSecurity Firm Program - Corporate College
Security Firm Program - Corporate College
 
University-of-Miami_MEDINA
University-of-Miami_MEDINAUniversity-of-Miami_MEDINA
University-of-Miami_MEDINA
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
User security awareness
User security awarenessUser security awareness
User security awareness
 
Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-b
 
Managing insider threat
Managing insider threatManaging insider threat
Managing insider threat
 
Cybersafety basics.ppt cs
Cybersafety basics.ppt csCybersafety basics.ppt cs
Cybersafety basics.ppt cs
 
Infosec IQ - Anti-Phishing & Security Awareness Training
Infosec IQ - Anti-Phishing & Security Awareness TrainingInfosec IQ - Anti-Phishing & Security Awareness Training
Infosec IQ - Anti-Phishing & Security Awareness Training
 

Similaire à Human Error in Cyber Security

In defence of the human factor
In defence of the human factorIn defence of the human factor
In defence of the human factorCiarán Mc Mahon
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
System Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats ModelingSystem Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats ModelingIJNSA Journal
 
Investigating Tertiary Students’ Perceptions on Internet Security
Investigating Tertiary Students’ Perceptions on Internet SecurityInvestigating Tertiary Students’ Perceptions on Internet Security
Investigating Tertiary Students’ Perceptions on Internet SecurityITIIIndustries
 
A review of cyberbullying and cyber threats in education 2
A review of cyberbullying and cyber threats in education 2A review of cyberbullying and cyber threats in education 2
A review of cyberbullying and cyber threats in education 2IAEME Publication
 
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATIONA REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATIONClaire Webber
 
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2Claire Webber
 
Information Security Management in University Campus Using Cognitive Security
Information Security Management in University Campus Using Cognitive SecurityInformation Security Management in University Campus Using Cognitive Security
Information Security Management in University Campus Using Cognitive SecurityCSCJournals
 
Running Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docxRunning Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docxcharisellington63520
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationApril Dillard
 
Running Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docx
Running Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docxRunning Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docx
Running Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docxhealdkathaleen
 
Cyber security rule of use internet safely
Cyber security rule of use internet safelyCyber security rule of use internet safely
Cyber security rule of use internet safelyAlexander Decker
 
A Systematic Literature Review On The Cyber Security
A Systematic Literature Review On The Cyber SecurityA Systematic Literature Review On The Cyber Security
A Systematic Literature Review On The Cyber SecurityAmy Cernava
 
Cyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network securityCyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network securityIJICTJOURNAL
 
E-Commerce Privacy and Security System
E-Commerce Privacy and Security SystemE-Commerce Privacy and Security System
E-Commerce Privacy and Security SystemIJERA Editor
 
E-Commerce Privacy and Security System
E-Commerce Privacy and Security SystemE-Commerce Privacy and Security System
E-Commerce Privacy and Security SystemIJERA Editor
 
Teori 1 pengantar keamanan
Teori 1 pengantar keamananTeori 1 pengantar keamanan
Teori 1 pengantar keamananSyaiful Ahdan
 

Similaire à Human Error in Cyber Security (20)

In defence of the human factor
In defence of the human factorIn defence of the human factor
In defence of the human factor
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
 
Senior Seminar Paper
Senior Seminar PaperSenior Seminar Paper
Senior Seminar Paper
 
System Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats ModelingSystem Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats Modeling
 
Forensics
ForensicsForensics
Forensics
 
Investigating Tertiary Students’ Perceptions on Internet Security
Investigating Tertiary Students’ Perceptions on Internet SecurityInvestigating Tertiary Students’ Perceptions on Internet Security
Investigating Tertiary Students’ Perceptions on Internet Security
 
A review of cyberbullying and cyber threats in education 2
A review of cyberbullying and cyber threats in education 2A review of cyberbullying and cyber threats in education 2
A review of cyberbullying and cyber threats in education 2
 
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATIONA REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION
 
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2
A REVIEW OF CYBERBULLYING AND CYBER THREATS IN EDUCATION 2
 
Information Security Management in University Campus Using Cognitive Security
Information Security Management in University Campus Using Cognitive SecurityInformation Security Management in University Campus Using Cognitive Security
Information Security Management in University Campus Using Cognitive Security
 
Running Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docxRunning Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docx
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every Organization
 
Running Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docx
Running Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docxRunning Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docx
Running Head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY .docx
 
Cyber security rule of use internet safely
Cyber security rule of use internet safelyCyber security rule of use internet safely
Cyber security rule of use internet safely
 
A Systematic Literature Review On The Cyber Security
A Systematic Literature Review On The Cyber SecurityA Systematic Literature Review On The Cyber Security
A Systematic Literature Review On The Cyber Security
 
Cyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network securityCyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network security
 
E-Commerce Privacy and Security System
E-Commerce Privacy and Security SystemE-Commerce Privacy and Security System
E-Commerce Privacy and Security System
 
E-Commerce Privacy and Security System
E-Commerce Privacy and Security SystemE-Commerce Privacy and Security System
E-Commerce Privacy and Security System
 
ISSC451 Cybercrime.docx
ISSC451 Cybercrime.docxISSC451 Cybercrime.docx
ISSC451 Cybercrime.docx
 
Teori 1 pengantar keamanan
Teori 1 pengantar keamananTeori 1 pengantar keamanan
Teori 1 pengantar keamanan
 

Human Error in Cyber Security

  • 1. Literature Review Antti Ollila 24.2.2016 KOG520 University of Jyväskylä
  • 2.  Computers… ◦ …are logical ◦ …are bad at making informed decisions ◦ …do not make mistakes ◦ …are designed, operated, built and maintained… ◦ … by humans (Saariluoma 2013, TJTA103 opening lecture)
  • 3.  Humans can be… ◦ …unskilled ◦ …taking unnecessary risks ◦ …careless ◦ …tired, sick, etc.  Humans are needed to make technology work (Saariluoma 2013, TJTA103 opening lecture)
  • 4.  Happens everywhere ◦ and all the time  Email to wrong recipient  Cashier giving too much change  More complexity, bigger impact ◦ UK: disclosed personal information on 25m citizens ◦ Italy: Costa Concordia ◦ Finland: Nokia Water Crisis
  • 5.  3rd most significant threat in 2003(Whitman)  46% of cyber security incidents in UK 2011- 2012(Lee)  Weakest link in the cyber security chain Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91-95. Lee, M. G. (2012, October). Securing the human to protect the system: Human factors in cyber security. In System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on (pp. 1-5). IET.
  • 6.  Google Scholar, IEEEXplore, sciencedirect ◦ ”Cyber Security Human Error” ◦ ”Cyber Security Human Factor” ◦ ”Usable Security” ◦ ”Cyber Security Usability” ◦ Years 2010-2016  Forward searching from articles found or read before
  • 7.  Toward Automated Reduction of Human Errors based on Cognitive Analysis (Miyamoto, D. & Takahashi, T. 2013)  Securing the Human to Protect the System: Human Factors in Cyber Security (Lee, M.G. 2012)  Measuring the Human Factor of Cyber Security (Bowen et al. 2011)  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness (Akhawe, D. & Felt, A. P. 2013)  Guidelines for Usable Cybersecurity: Past and Present (Nurse et al. 2011)
  • 8.  Framework to gather data to understand human error  Less biased than questionnaires  Cognitive psychology ◦ Monitor eye movement and facial skin temperature when performing tasks
  • 9.  Well-Meaning Insider ◦ slips ◦ lapses ◦ mistakes  Malicious Insider ◦ violations  Malicious Outsider  46% by well-meaning insiders, 17% violations
  • 10.  Training system to prevent phishing  Generates phishing emails and tracks the success rate  In test group(2000 university students and staff) no successful phishing attempts after 4 iterations
  • 11.  Study on browser warning messages  Sample of ~25m interactions  Malware warnings ◦ 7.2% Firefox, 23.2% Chrome  Good design can increase security
  • 12.  Too complex security systems might lead to weakened security  19 design guidelines for better usability  Usability and Security do not have to be seen as competing system goals
  • 13.  Security is rarely primary task  Not everyone is a security specialist ◦ And also the experts make errors  Human error is significant threat to information security...  ...but it can be mitigated to some extent by design and training
  • 14.  ”Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems” -Kevin Mitnick