Choice Architecture for Information Security

Lead Research Organisation: Newcastle University
Department Name: Computing Sciences

Abstract

Information security decisions are often made without any formal or rigorous backing. For instance, data about impact or likelihood of security breaches is rarely available. Careful prediction, for instance using monte carlo simulation, is often ommitted. It is natural, but also somewhat easy, to say that we need more rigorous techniques when we make information security decision. In the investigator's own work the following key challenges remain unresolved.

First, rigorous approaches may introduce a false sense of security to decision-makers by not fully disclosing assumptions to decision makers (e.g, a model may assume a restricted attack scenario). Secondly, one may invest in perfecting the rigorous aspect without gaining too much more information; that is, the value of the added rigour may not lead to better decisions. This violates Buffett's mantra to better be approximately right than precisely wrong. Thirdly, decision-makers tend to ignore the information they receive through rigorous assessment, unless it validates the decision they already intended to make.

To address these issues, we take inspiration from the work on nudging in the behavioural economics community, which provides a framework to influence decision makers as effectively as possible. In particular, we need tools and techniques to form a choice architecture tailored to information security. Information security has particular well-known characteristics, which we will exploit to provide sufficient rigour underlying the choice architecture. In particular, the project will establish rigorous mathematical approaches to include uncertainty about unknowns in our analysis, and will derived a theory about the 'value of rigour', allowing experts to judge which elements of rigour pay off further investment.

We do our research in connection to one overarching information security issue of high practical importance, namely 'consumerization', that is, the use in the workplace of people's own technologies. This is possibly the main challenge that IT departments face in the coming years, to keep the workplace secure as the boundaries between work and personal life become more blurred. Depending on the enterprise, doing the "right thing" may result in different policies. The project will work with large organisations and SMEs through well-established channels. It will demonstrate the benefits of the advocated choice architecture through a case study in an SME.

In very concrete terms, a possible outcome that an end user may experience as result of the project is as follows. Our research in the psychology of choice may reveal that a sense of ownership of data contributes to better security behaviour of employees. Quantitative techniques underlying the choice architecture measure the frequency with which an employee uses the phone for this purpose. Nudging tools are installed both as a mobile phone application and as a desktop tool for the CISO. For example, the tool for employees may be a mobile app that visually displays the consequence of data loss from the perspective of the employee, for instance in terms of how success in their job may be at stake. It makes strategic use of opt-outs and opt-ins to nudge the employee to balance security and productivity based on an underlying predictive model. The nudging tool for the CISO may be a desktop tool that provides the latest data and can be configured for a particular part of the organisation. The CISO tool carefully protects against a false sense of security by presenting the risk of unknowns and helps the CISO understand what data and which underlying assessment or decision-making would help improve the decision-making most.

Planned Impact

The impact that ChAISe aims to create stems, on the one hand, from its foundational research contributions and, on the other hand, from making these available through tools used in a real-life context within organisations.

So, the impact goals are as follows:

- knowledge: we will disseminate the research results in academic venues, and we will target specific venues year after year to create maximum impact for our results (the venues are WEIS, DSN, SOUPS, CHI, see JoR). Additionally, we will make the software and physical tools openly available.

Impact through knowledge will also arise from the dissemination events funded through the EPSRC Network for Cybercrime, see 'society'.

The Cybercrime Centre at NCL and nuWARP at NH provide very powerful venues to regional government and industry. The Centre runs master classes together with the North East Fraud Forum, and by combining this with the nuWARP SME base we greatly increase our impact through spreading knowledge. We also regularly participate in outreach events, e.g. at the Centre for Life, the Great North Museum, etc.

- economy: as shown by the outcomes of the TSB-funded Trust Economics project (in which the PI participated), the techniques and tools we develop can be used in consulting services. We believe that our choice architecture is yet one step more useful through its influencing capabilities. We did not budget for activities to achieve such impact, since we need to concentrate on the research first, but the potential has been demonstrated and could easily follow from this project.

Through our work in collaboration with the JISC-funded Iridium project, we will influence the IT-related business leaders in Newcastle University, and by extension in the UK through JISC. In particular, Iridum focuses on data flow and value of data, so our work adds information security concerns to that mix. We already work intensively with the IT Information Security team in Newcastle University and will continue spreading impact through these interactions.

Through our work in nuWARP we have a uniquely powerful link with the people in SMEs that are concerned with information security. By executing the final evaluation within an SME, we will have direct impact on the security behaviour of that SME. In general, impacting SMEs can provide particularly high impact, since SMEs typically do not have the information security experts on board.

- society: we will receive partnership funding from Social Inclusion through the Digital Economy project, equivalent to two years of RA. This RA will exploit the use of our tools in designing government services, to help with information security decisions by users of the services.

We will use the recently awarded EPSRC Network in Cybercrime to fund two workshops that includes attendees from all sectors. The purpose of the workshops is to disseminate knowledge, but more importantly, to develop follow-up opportunities in any of the impact categories (knowledge, society, economy, people).

- people: the skill set that the RAs will require and further improve is in high demand, in the UK and beyond. Moreover, the interdisciplinary nature of the research will allow the RAs to grow and positions them for leading roles in academia or industry. The physical presence of the three RAs in the Cybercrime Lab will further makes them interact with others and meet additional new partners, etc.
 
Description We have identified how nudging techniques that influence human behaviours can be useful in information security. We have shown the ability of operations management research techniques to be used to influence information security decisions of people and professionals. We have published an approach (called SCENE) for practioners to discuss and introduce nudges in design of privacy and security tools. We have succesfully applied nudges to mobile apps.
Exploitation Route Our expertise can be used in various settings. For instance, the team is consulting within Newcastle University on data protection and information security issues. Briggs and Coventry have taken advisory roles in projects and other efforts. We expect practisioners to continue to build on the SCENE methodology (30 citations in just a few years indicate the wide spread interest).
Sectors Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Government, Democracy and Justice,Security and Diplomacy

 
Description The work has led to a study with the NCC Group about influencing PEN testers. The work has led to internal advisory role of the PI for Newcastle University with respect to data protection, including GDPR. The work has led to leading business continuity exercises within Newcastle University. The work has led to an advisory role of P. Briggs in EU data protection discussions. The work has been the basis for discussion with Information Security team within Newcastle University's IT team, and for discussions with the University's Registrar and members of University Court in dicussions about cyber security policies and approaches within the University.
First Year Of Impact 2015
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Societal,Economic

 
Description Blockchain for Secured Lending KTP
Amount £180,000 (GBP)
Funding ID KTP011059 
Organisation Innovate UK 
Sector Public
Country United Kingdom
Start 04/2018 
End 09/2020
 
Description FinTrust: Trust Engineering for the Financial Industry
Amount £1,000,000 (GBP)
Funding ID EP/R033595/1 
Organisation Engineering and Physical Sciences Research Council (EPSRC) 
Sector Academic/University
Country United Kingdom
Start 08/2018 
End 07/2021
 
Description Science of Security Systems
Amount £120,000 (GBP)
Organisation National Security Agency 
Sector Public
Country United States
Start 07/2014 
End 06/2017
 
Description Science of Security Systems
Amount £170,000 (GBP)
Organisation National Security Agency 
Sector Public
Country United States
Start 04/2014 
End 04/2017
 
Description Shaping University Curricula to Critical-infrastructure Employer Needs
Amount £67,000 (GBP)
Organisation European Commission 
Sector Public
Country European Union (EU)
Start 01/2014 
End 01/2016
 
Description Shaping University Curricula to Critical-infrastructure Employer Needs
Amount £67,000 (GBP)
Organisation European Commission 
Sector Public
Country European Union (EU)
Start 04/2014 
End 03/2016
 
Description Durham University 
Organisation Durham University
Country United Kingdom 
Sector Academic/University 
PI Contribution Collaboration with CRiVa (the Centre for Research into violence and Abuse: https://www.dur.ac.uk/criva/) of Durham for joint workshops, perpetrator user pool and further projects.
Start Year 2014
 
Description Metropolitan Police 
Organisation Metropolitan Police Service
Country United Kingdom 
Sector Public 
PI Contribution Met Police UK
Start Year 2013
 
Description Multicriteria Decision Analysis for ChAISe 
Organisation University of Plymouth
Country United Kingdom 
Sector Academic/University 
PI Contribution Alessio Ishizaka (Portsmouth) visited ChAISe project on March 17,18 for collaboration on Multicriteria Decision Analysis for ChAISe
Start Year 2014
 
Description Choice Architecture in Information Security 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Primary Audience Policymakers/politicians
Results and Impact Iryna Yevseyeva has presented ChAISe at the meeting with Metropolitan Police representatives who visited CCCS/Newcastle University on the 30th of August.
Year(s) Of Engagement Activity 2013
 
Description Nudging Internet citizens: lessons from behavioural studies on online privacy 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Policymakers/politicians
Results and Impact Pam Briggs participated in the European Commission Joint Research Centre to contribute to a panel "Nudging Internet citizens: lessons from behavioural studies on online privacy", on 23rd January, as part of the 7th International Conference on Computers, Privacy and Data Protection (CPDP), Brussels.
Year(s) Of Engagement Activity 2014
 
Description Nudging towards security in BYOD (bring your own device) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Primary Audience
Results and Impact Iryna Yevseyeva has presented a talk on Nudging towards security in BYOD (bring your own device) on September 19 at "The First Annual Cyberpsychology Conference", APCP 2013, at the Faculty of Health and Life Sciences of De Montfort University, Leicester.
Year(s) Of Engagement Activity 2013
 
Description Panel presentation at CyberUK 2017 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Part of a panel presentation at in CYBERUK 2017.

The event was attended by nearly 2,500 representatives from across the Public Sector, CNI, Industry & Academia over the three days.
Year(s) Of Engagement Activity 2017
 
Description SASIG group meeting on Human Factors of Security 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Primary Audience Participants in your research or patient groups
Results and Impact Lynne Coventry has presented at the SASIG group meeting on Human Factors of Security. She presented on influencers of security behaviour. This was held at Kew Gardens on the 17th September, organised by The Security Company.
Year(s) Of Engagement Activity 2013