Choice Architecture for Information Security
Lead Research Organisation:
Newcastle University
Department Name: Computing Sciences
Abstract
Information security decisions are often made without any formal or rigorous backing. For instance, data about impact or likelihood of security breaches is rarely available. Careful prediction, for instance using monte carlo simulation, is often ommitted. It is natural, but also somewhat easy, to say that we need more rigorous techniques when we make information security decision. In the investigator's own work the following key challenges remain unresolved.
First, rigorous approaches may introduce a false sense of security to decision-makers by not fully disclosing assumptions to decision makers (e.g, a model may assume a restricted attack scenario). Secondly, one may invest in perfecting the rigorous aspect without gaining too much more information; that is, the value of the added rigour may not lead to better decisions. This violates Buffett's mantra to better be approximately right than precisely wrong. Thirdly, decision-makers tend to ignore the information they receive through rigorous assessment, unless it validates the decision they already intended to make.
To address these issues, we take inspiration from the work on nudging in the behavioural economics community, which provides a framework to influence decision makers as effectively as possible. In particular, we need tools and techniques to form a choice architecture tailored to information security. Information security has particular well-known characteristics, which we will exploit to provide sufficient rigour underlying the choice architecture. In particular, the project will establish rigorous mathematical approaches to include uncertainty about unknowns in our analysis, and will derived a theory about the 'value of rigour', allowing experts to judge which elements of rigour pay off further investment.
We do our research in connection to one overarching information security issue of high practical importance, namely 'consumerization', that is, the use in the workplace of people's own technologies. This is possibly the main challenge that IT departments face in the coming years, to keep the workplace secure as the boundaries between work and personal life become more blurred. Depending on the enterprise, doing the "right thing" may result in different policies. The project will work with large organisations and SMEs through well-established channels. It will demonstrate the benefits of the advocated choice architecture through a case study in an SME.
In very concrete terms, a possible outcome that an end user may experience as result of the project is as follows. Our research in the psychology of choice may reveal that a sense of ownership of data contributes to better security behaviour of employees. Quantitative techniques underlying the choice architecture measure the frequency with which an employee uses the phone for this purpose. Nudging tools are installed both as a mobile phone application and as a desktop tool for the CISO. For example, the tool for employees may be a mobile app that visually displays the consequence of data loss from the perspective of the employee, for instance in terms of how success in their job may be at stake. It makes strategic use of opt-outs and opt-ins to nudge the employee to balance security and productivity based on an underlying predictive model. The nudging tool for the CISO may be a desktop tool that provides the latest data and can be configured for a particular part of the organisation. The CISO tool carefully protects against a false sense of security by presenting the risk of unknowns and helps the CISO understand what data and which underlying assessment or decision-making would help improve the decision-making most.
First, rigorous approaches may introduce a false sense of security to decision-makers by not fully disclosing assumptions to decision makers (e.g, a model may assume a restricted attack scenario). Secondly, one may invest in perfecting the rigorous aspect without gaining too much more information; that is, the value of the added rigour may not lead to better decisions. This violates Buffett's mantra to better be approximately right than precisely wrong. Thirdly, decision-makers tend to ignore the information they receive through rigorous assessment, unless it validates the decision they already intended to make.
To address these issues, we take inspiration from the work on nudging in the behavioural economics community, which provides a framework to influence decision makers as effectively as possible. In particular, we need tools and techniques to form a choice architecture tailored to information security. Information security has particular well-known characteristics, which we will exploit to provide sufficient rigour underlying the choice architecture. In particular, the project will establish rigorous mathematical approaches to include uncertainty about unknowns in our analysis, and will derived a theory about the 'value of rigour', allowing experts to judge which elements of rigour pay off further investment.
We do our research in connection to one overarching information security issue of high practical importance, namely 'consumerization', that is, the use in the workplace of people's own technologies. This is possibly the main challenge that IT departments face in the coming years, to keep the workplace secure as the boundaries between work and personal life become more blurred. Depending on the enterprise, doing the "right thing" may result in different policies. The project will work with large organisations and SMEs through well-established channels. It will demonstrate the benefits of the advocated choice architecture through a case study in an SME.
In very concrete terms, a possible outcome that an end user may experience as result of the project is as follows. Our research in the psychology of choice may reveal that a sense of ownership of data contributes to better security behaviour of employees. Quantitative techniques underlying the choice architecture measure the frequency with which an employee uses the phone for this purpose. Nudging tools are installed both as a mobile phone application and as a desktop tool for the CISO. For example, the tool for employees may be a mobile app that visually displays the consequence of data loss from the perspective of the employee, for instance in terms of how success in their job may be at stake. It makes strategic use of opt-outs and opt-ins to nudge the employee to balance security and productivity based on an underlying predictive model. The nudging tool for the CISO may be a desktop tool that provides the latest data and can be configured for a particular part of the organisation. The CISO tool carefully protects against a false sense of security by presenting the risk of unknowns and helps the CISO understand what data and which underlying assessment or decision-making would help improve the decision-making most.
Planned Impact
The impact that ChAISe aims to create stems, on the one hand, from its foundational research contributions and, on the other hand, from making these available through tools used in a real-life context within organisations.
So, the impact goals are as follows:
- knowledge: we will disseminate the research results in academic venues, and we will target specific venues year after year to create maximum impact for our results (the venues are WEIS, DSN, SOUPS, CHI, see JoR). Additionally, we will make the software and physical tools openly available.
Impact through knowledge will also arise from the dissemination events funded through the EPSRC Network for Cybercrime, see 'society'.
The Cybercrime Centre at NCL and nuWARP at NH provide very powerful venues to regional government and industry. The Centre runs master classes together with the North East Fraud Forum, and by combining this with the nuWARP SME base we greatly increase our impact through spreading knowledge. We also regularly participate in outreach events, e.g. at the Centre for Life, the Great North Museum, etc.
- economy: as shown by the outcomes of the TSB-funded Trust Economics project (in which the PI participated), the techniques and tools we develop can be used in consulting services. We believe that our choice architecture is yet one step more useful through its influencing capabilities. We did not budget for activities to achieve such impact, since we need to concentrate on the research first, but the potential has been demonstrated and could easily follow from this project.
Through our work in collaboration with the JISC-funded Iridium project, we will influence the IT-related business leaders in Newcastle University, and by extension in the UK through JISC. In particular, Iridum focuses on data flow and value of data, so our work adds information security concerns to that mix. We already work intensively with the IT Information Security team in Newcastle University and will continue spreading impact through these interactions.
Through our work in nuWARP we have a uniquely powerful link with the people in SMEs that are concerned with information security. By executing the final evaluation within an SME, we will have direct impact on the security behaviour of that SME. In general, impacting SMEs can provide particularly high impact, since SMEs typically do not have the information security experts on board.
- society: we will receive partnership funding from Social Inclusion through the Digital Economy project, equivalent to two years of RA. This RA will exploit the use of our tools in designing government services, to help with information security decisions by users of the services.
We will use the recently awarded EPSRC Network in Cybercrime to fund two workshops that includes attendees from all sectors. The purpose of the workshops is to disseminate knowledge, but more importantly, to develop follow-up opportunities in any of the impact categories (knowledge, society, economy, people).
- people: the skill set that the RAs will require and further improve is in high demand, in the UK and beyond. Moreover, the interdisciplinary nature of the research will allow the RAs to grow and positions them for leading roles in academia or industry. The physical presence of the three RAs in the Cybercrime Lab will further makes them interact with others and meet additional new partners, etc.
So, the impact goals are as follows:
- knowledge: we will disseminate the research results in academic venues, and we will target specific venues year after year to create maximum impact for our results (the venues are WEIS, DSN, SOUPS, CHI, see JoR). Additionally, we will make the software and physical tools openly available.
Impact through knowledge will also arise from the dissemination events funded through the EPSRC Network for Cybercrime, see 'society'.
The Cybercrime Centre at NCL and nuWARP at NH provide very powerful venues to regional government and industry. The Centre runs master classes together with the North East Fraud Forum, and by combining this with the nuWARP SME base we greatly increase our impact through spreading knowledge. We also regularly participate in outreach events, e.g. at the Centre for Life, the Great North Museum, etc.
- economy: as shown by the outcomes of the TSB-funded Trust Economics project (in which the PI participated), the techniques and tools we develop can be used in consulting services. We believe that our choice architecture is yet one step more useful through its influencing capabilities. We did not budget for activities to achieve such impact, since we need to concentrate on the research first, but the potential has been demonstrated and could easily follow from this project.
Through our work in collaboration with the JISC-funded Iridium project, we will influence the IT-related business leaders in Newcastle University, and by extension in the UK through JISC. In particular, Iridum focuses on data flow and value of data, so our work adds information security concerns to that mix. We already work intensively with the IT Information Security team in Newcastle University and will continue spreading impact through these interactions.
Through our work in nuWARP we have a uniquely powerful link with the people in SMEs that are concerned with information security. By executing the final evaluation within an SME, we will have direct impact on the security behaviour of that SME. In general, impacting SMEs can provide particularly high impact, since SMEs typically do not have the information security experts on board.
- society: we will receive partnership funding from Social Inclusion through the Digital Economy project, equivalent to two years of RA. This RA will exploit the use of our tools in designing government services, to help with information security decisions by users of the services.
We will use the recently awarded EPSRC Network in Cybercrime to fund two workshops that includes attendees from all sectors. The purpose of the workshops is to disseminate knowledge, but more importantly, to develop follow-up opportunities in any of the impact categories (knowledge, society, economy, people).
- people: the skill set that the RAs will require and further improve is in high demand, in the UK and beyond. Moreover, the interdisciplinary nature of the research will allow the RAs to grow and positions them for leading roles in academia or industry. The physical presence of the three RAs in the Cybercrime Lab will further makes them interact with others and meet additional new partners, etc.
Publications
Coventry LM
(2016)
Personality and Social Framing in Privacy Decision-Making: A Study on Cookie Acceptance.
in Frontiers in psychology
Ali M
(2017)
Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?
in IEEE Security & Privacy
Ali.M.A;
(2017)
Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?
in IEEE Security & Privacy
Yevseyeva I
(2022)
Addressing consumerization of IT risks with nudging
in International Journal of Information Systems and Project Management
Gross.T;
(2016)
Effect of cognitive depletion on password choice
in Learning from Authoritative Security Experiment Results (LASER'16)(July 2016), S. Peisert, Ed
Yevseyeva I
(2016)
Modeling and analysis of influence power for information security decisions
in Performance Evaluation
Jeske D
(2016)
Exploring the relationship between impulsivity and decision-making on mobile devices
in Personal and Ubiquitous Computing
Yevseyeva I
(2015)
Selecting Optimal Subset of Security Controls
in Procedia Computer Science
Yevseyeva I
(2016)
Two-stage Security Controls Selection
in Procedia Computer Science
Yevseyeva I
(2014)
Consumerisation of IT: Mitigating Risky User Actions and Improving Productivity with Nudging
in Procedia Technology
Gross. T
(2016)
Effect of Cognitive Effort on Password Choice
in Symposium on Usable Privacy and Security (SOUPS)
James Turland (Author)
Nudging towards security in BYOD (bring your own device)
in TBD
McGough A
(2015)
Insider Threats
Jeske D
(2014)
Decision justifications for wireless network selection
Briggs P
(2017)
Behavior Change Research and Theory
Alsuhibany S
(2013)
Detection of attack strategies
Emms M
(2014)
Privacy Technologies and Policy
Jeske D
(2014)
Decision Justifications for Wireless Network Selection
Arief B
(2014)
Sensible Privacy
Yevseyeva I
(2014)
Computer Performance Engineering
Mace.J.C
(2016)
WRAD: Tool Support for Workflow Resiliency Analysis and Design
Nicholson J
(2013)
Age-related performance issues for PIN and face-based authentication systems
Alsuhibany S
(2013)
Security Engineering and Intelligence Informatics
Mace JC
(2015)
Quantitative Workflow Resiliency
Morisset, C;
(2014)
Formalization of Influencing in Information Security (2014)
Turland J
(2015)
Nudging towards security
Morisset, C;
(2014)
A Formal Model for Soft Enforcement: Influencing the Decision-Maker
| Description | We have identified how nudging techniques that influence human behaviours can be useful in information security. We have shown the ability of operations management research techniques to be used to influence information security decisions of people and professionals. We have published an approach (called SCENE) for practioners to discuss and introduce nudges in design of privacy and security tools. We have succesfully applied nudges to mobile apps. |
| Exploitation Route | Our expertise can be used in various settings. For instance, the team is consulting within Newcastle University on data protection and information security issues. Briggs and Coventry have taken advisory roles in projects and other efforts. We expect practisioners to continue to build on the SCENE methodology (30 citations in just a few years indicate the wide spread interest). |
| Sectors | Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Government, Democracy and Justice,Security and Diplomacy |
| Description | The work has led to a study with the NCC Group about influencing PEN testers. The work has led to internal advisory role of the PI for Newcastle University with respect to data protection, including GDPR, as part of the Registrar and University Court's task and finish group on GDPR. The work has led to leading business continuity exercises within Newcastle University through a collaboration of the project's researchers and the IT division of Newcastle University. The work has led to an advisory role of P. Briggs in EU data protection panel. This project is one of four research projects that founded the Research Institute in Science of Cyber Security (RISCS), which has had large influence on policy makers and NCSC regarding accounting for human factors in cyber security. One effort includes the review of cyber security standards through an academic/industry advisory group. That effort led to an advise to NCSC that existing standards were poorly fit for the purpose of securing the supply chain of government and other organisations, and led to the initiation of Cyber Essentials. This has led to continued collaborative between Newcastle University IT and the academics in terms of fulfilling Cyber Essentials requirements in the University and continued discussions with NCSC about the pitfalls behind compliance for Universities. Research Machulak founded the start-up CloudIdentity Ltd, which considered data management on social networks, and led to IETF standardisation proposals in User Managed Access, as follow-up of well-known OAuth standard used routinely in the software industry. |
| First Year Of Impact | 2013 |
| Sector | Digital/Communication/Information Technologies (including Software) |
| Impact Types | Societal,Economic,Policy & public services |
| Description | Blockchain for Secured Lending KTP |
| Amount | £180,000 (GBP) |
| Funding ID | KTP011059 |
| Organisation | Innovate UK |
| Sector | Public |
| Country | United Kingdom |
| Start | 04/2018 |
| End | 09/2020 |
| Description | FinTrust: Trust Engineering for the Financial Industry |
| Amount | £1,000,000 (GBP) |
| Funding ID | EP/R033595/1 |
| Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
| Sector | Public |
| Country | United Kingdom |
| Start | 08/2018 |
| End | 07/2021 |
| Description | Fostering Collaboration Between two ACE-CSRs |
| Amount | £10,202 (GBP) |
| Organisation | Government Communications Headquarters (GCHQ) |
| Sector | Public |
| Country | United Kingdom |
| Start | 11/2015 |
| End | 03/2016 |
| Description | NCSC/EPSRC FinTech Research Directions Workshop |
| Amount | £5,700 (GBP) |
| Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
| Sector | Public |
| Country | United Kingdom |
| Start | 03/2018 |
| End | 03/2018 |
| Description | Science of Security Systems |
| Amount | £120,000 (GBP) |
| Organisation | National Security Agency |
| Sector | Public |
| Country | United States |
| Start | 07/2014 |
| End | 06/2017 |
| Description | Science of Security Systems |
| Amount | £170,000 (GBP) |
| Organisation | National Security Agency |
| Sector | Public |
| Country | United States |
| Start | 04/2014 |
| End | 04/2017 |
| Description | Shaping University Curricula to Critical-infrastructure Employer Needs |
| Amount | £67,000 (GBP) |
| Organisation | European Commission |
| Sector | Public |
| Country | European Union (EU) |
| Start | 04/2014 |
| End | 03/2016 |
| Description | Shaping University Curricula to Critical-infrastructure Employer Needs |
| Amount | £67,000 (GBP) |
| Organisation | European Commission |
| Sector | Public |
| Country | European Union (EU) |
| Start | 01/2014 |
| End | 01/2016 |
| Description | Durham University |
| Organisation | Durham University |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | Collaboration with CRiVa (the Centre for Research into violence and Abuse: https://www.dur.ac.uk/criva/) of Durham for joint workshops, perpetrator user pool and further projects. |
| Start Year | 2014 |
| Description | Metropolitan Police |
| Organisation | Metropolitan Police Service |
| Country | United Kingdom |
| Sector | Public |
| PI Contribution | Met Police UK |
| Start Year | 2013 |
| Description | Multicriteria Decision Analysis for ChAISe |
| Organisation | University of Plymouth |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | Alessio Ishizaka (Portsmouth) visited ChAISe project on March 17,18 for collaboration on Multicriteria Decision Analysis for ChAISe |
| Start Year | 2014 |
| Description | Choice Architecture in Information Security |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Iryna Yevseyeva has presented ChAISe at the meeting with Metropolitan Police representatives who visited CCCS/Newcastle University on the 30th of August. |
| Year(s) Of Engagement Activity | 2013 |
| Description | Nudging Internet citizens: lessons from behavioural studies on online privacy |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Pam Briggs participated in the European Commission Joint Research Centre to contribute to a panel "Nudging Internet citizens: lessons from behavioural studies on online privacy", on 23rd January, as part of the 7th International Conference on Computers, Privacy and Data Protection (CPDP), Brussels. |
| Year(s) Of Engagement Activity | 2014 |
| Description | Nudging towards security in BYOD (bring your own device) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Professional Practitioners |
| Results and Impact | Iryna Yevseyeva has presented a talk on Nudging towards security in BYOD (bring your own device) on September 19 at "The First Annual Cyberpsychology Conference", APCP 2013, at the Faculty of Health and Life Sciences of De Montfort University, Leicester. |
| Year(s) Of Engagement Activity | 2013 |
| Description | Panel presentation at CyberUK 2017 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | Part of a panel presentation at in CYBERUK 2017. The event was attended by nearly 2,500 representatives from across the Public Sector, CNI, Industry & Academia over the three days. |
| Year(s) Of Engagement Activity | 2017 |
| Description | SASIG group meeting on Human Factors of Security |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Lynne Coventry has presented at the SASIG group meeting on Human Factors of Security. She presented on influencers of security behaviour. This was held at Kew Gardens on the 17th September, organised by The Security Company. |
| Year(s) Of Engagement Activity | 2013 |