SBE: Small: THE NEW SECURITY CALCULUS: Incentivizing Good User Security Behavior

SBE：小：新的安全演算：激励良好的用户安全行为

• 批准号: 1618212
• 负责人: Sanjay Goel
• 金额: $ 49.79万
• 依托单位: SUNY at Albany
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-15 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1618212&HistoricalAwards=false
• 关键词: SBE; Small; NEW; SECURITY; CALCULUS

The threat and impact of cybersecurity breaches are felt throughout society with massive financial losses to businesses and breach of national secrets. Human behavior is increasing seen as a fundamental security vulnerability that is at the center of many security breaches. Several approaches have been used for improving user security behavior, including enacting information security policies, providing security awareness training, and introducing penalties for security violations; these approaches have not been very effective. In this research, we are influencing human security decision analysis through direct financial incentives and behavioral interventions such that the decision analysis aligns with economic rationality. The dominant theoretical frameworks used by researchers to improve information security are Protection Motivation Theory and Deterrence Theory. These theories suggest that users make rational security decisions by cognitively weighing the relative gains and losses associated with their choices within a decision calculus. They assume that users will respond rationally to perceived security threats in the environment and to sanctions imposed on noncompliance. Users are expected to internally regulate their behavior based on an understanding of security threats and the consequences of risky behavior; however, in the course of daily activities users often minimize the risks associated with their behavior and may rationalize noncompliant behavior by perceiving that costs of compliance outweigh benefits. We seek to improve security compliance by changing the user?s security decision calculus. Drawing on principles of behavioral economics, we use extrinsic rewards (i.e. financial incentives) to initiate compliance, and psychological manipulations (nudges) to promote ongoing internal regulation of security behavior, such that users sustain secure behaviors when external incentives are no longer in place. The multidisciplinary nature of this work enhances understanding of many information security issues and provides a fresh perspective for research on behavioral security and security economics.

网络安全漏洞的威胁和影响遍及整个社会，给企业带来巨大的经济损失，并泄露国家机密。人类行为越来越被视为一个基本的安全漏洞，是许多安全漏洞的核心。已经使用了几种方法来改善用户的安全行为，包括制定信息安全策略，提供安全意识培训，并引入对安全违规的处罚，这些方法都不是很有效。在这项研究中，我们通过直接的经济激励和行为干预来影响人类安全决策分析，使决策分析与经济合理性保持一致。研究人员用来提高信息安全的主要理论框架是保护动机理论和威慑理论。这些理论表明，用户通过在决策演算中认知地权衡与他们的选择相关的相对收益和损失来做出理性的安全决策。它们假定用户会对环境中感知到的安全威胁和对不遵守规定的制裁作出理性反应。用户应该根据对安全威胁和风险行为后果的理解来内部规范自己的行为;然而，在日常活动中，用户通常会将与其行为相关的风险降至最低，并可能通过感知合规成本超过收益来合理化不合规行为。我们试图通过改变用户来提高安全合规性？的安全决策演算。根据行为经济学的原理，我们使用外部奖励（即财务激励）来启动合规性，并使用心理操纵（轻推）来促进对安全行为的持续内部监管，以便用户在外部激励不再存在时维持安全行为。这项工作的多学科性质增强了对许多信息安全问题的理解，并为行为安全和安全经济学的研究提供了一个新的视角。