SBE: Medium: Understanding and Influencing Security and Privacy Decision-making

SBE：媒介：理解并影响安全和隐私决策

• 批准号: 1314644
• 负责人: Michael Orosz
• 金额: $ 60万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-09-15 至 2016-02-29
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1314644&HistoricalAwards=false
• 关键词: SBE; Medium; Understanding; Influencing; Security

Cyber security is increasingly seen as the management of economic trade-offs: balancing losses from actual attacks (e.g., monetary costs, psychological costs due to loss of privacy, etc.) against the costs of threat/attack mitigation mechanisms (e.g., monetary costs, degradation of performance and productivity, etc.). While tackling this multi-attribute decision problem in a highly dynamic and uncertain environment, individuals frequently diverge from rationality. To better understand the deviation from rational behavior and to find effective ways to remediate this (when necessary), a systematic study will be undertaken with the results used to model the human behavior of malicious actors (attackers), non-malicious actors - those who intend to maintain the security of a system (defenders) and actors whose behavior/attitudes are indifferent to system security, but do not intend to attack the system (end users).The research methodology involves: (1) generating representative scenarios of various attack / mitigation decision problems, (2) conducting surveys using scenario simulations to identify the drivers of human behavior relative to each scenario, (3) developing models of human behavior that involve the application of various normative and descriptive models from behavioral economics, (4) comparing the outcomes of the models, (5) conducting controlled laboratory experiments with human subjects to reveal differences between predicted and observed user behavior, (6) using the developed models to help determine what measures can be employed to change human behavior, and (7) implementing, simulating, and evaluating the developed models in a multi-agent system.The project has three key tasks:(1) Explore what factors drive an adversary to select a particular cyber-attack and what motivates the benign user to either take or not take action. The proposed research also will examine what steps can be taken to change human behavior - either to not attack, take certain attack paths, or, for a benign user, take steps to avoid or mitigate an attack.(2) Explore the potential difference between optimal and actual security decisions, to determine when and why deviation from the optimal decision occurs, and identify effective means to correct deviations from rationality that impede the realization of good security outcomes.(3) Investigate how attackers can take advantage of the gap between perceived and actual risk, as well as attackers? risk taking behavior. This is critical to ensuring the development and implementation of effective monitoring and mitigation technologies.The research will develop techniques and models delivering the foundation for future security-focused behavioral modeling research, provide much needed empirical data, and produce a software toolkit for developing, testing and evaluating methods and models to study human security decision-making.

网络安全越来越被视为经济权衡的管理：平衡实际攻击造成的损失（例如，金钱成本、因失去隐私而产生的心理成本等）与成本相比， 威胁/攻击 缓解 机制 (e.g., 货币 成本， 性能和生产率的降低等）。在高度动态和不确定的环境中处理多属性决策问题时，个体经常偏离理性。为了更好地理解理性行为的偏差，并找到有效的方法来补救这一点，（必要时），将进行系统的研究，结果用于模拟恶意行为者的人类行为（攻击者），非恶意参与者-那些打算维护系统安全的人（防御者）和行为/态度对系统安全漠不关心，但不打算攻击系统的参与者（最终用户）。研究方法包括：（1）生成各种攻击/缓解决策问题的代表性场景，（2）使用场景模拟进行调查以识别与每个场景相关的人类行为的驱动因素，（3）开发人类行为的模型，该模型涉及来自行为经济学的各种规范和描述模型的应用，（4）比较模型的结果，（5）对人类受试者进行受控实验室实验以揭示预测的和观察到的用户行为之间的差异，（6）使用开发的模型来帮助确定可以采用什么措施来改变人类行为，以及（7）在多代理系统中实现、模拟和评估开发的模型。该项目有三个关键任务：（1）探索是什么因素促使对手选择特定的网络攻击，以及是什么促使良性用户采取或不采取行动。拟议的研究还将研究可以采取哪些措施来改变人类行为-要么不攻击，采取某些攻击路径，或者对于良性用户，采取措施避免或减轻攻击。(2)探索最佳和实际安全决策之间的潜在差异，以确定何时以及为什么偏离最佳决策，并确定有效的方法来纠正妨碍实现良好安全结果的合理性偏差。(3)调查攻击者如何利用感知风险和实际风险之间的差距以及攻击者？冒险行为。这对于确保开发和实施有效的监测和缓解技术至关重要。该研究将开发技术和模型，为未来以安全为重点的行为建模研究奠定基础，提供急需的经验数据，并制作用于开发，测试和评估方法和模型的软件工具包，以研究人类安全决策。