权益分类	功能权益	普通用户	{{item.name}}会员
{{category.name}}	{{benefitItem.name}}

Choice Architecture for Information Security

信息安全的选择架构

基本信息

批准号：
EP/K006568/1
负责人：
Aad Van Moorsel
金额：
$ 113.12万
依托单位：
Newcastle University
依托单位国家：
英国
项目类别：
Research Grant
财政年份：
2013
资助国家：
英国
起止时间：
2013 至无数据
项目状态：
已结题

来源：
https://gtr.ukri.org/projects?ref=EP%2FK006568%2F1
关键词：
Choice Architecture Information Security

项目摘要

Information security decisions are often made without any formal or rigorous backing. For instance, data about impact or likelihood of security breaches is rarely available. Careful prediction, for instance using monte carlo simulation, is often ommitted. It is natural, but also somewhat easy, to say that we need more rigorous techniques when we make information security decision. In the investigator's own work the following key challenges remain unresolved. First, rigorous approaches may introduce a false sense of security to decision-makers by not fully disclosing assumptions to decision makers (e.g, a model may assume a restricted attack scenario). Secondly, one may invest in perfecting the rigorous aspect without gaining too much more information; that is, the value of the added rigour may not lead to better decisions. This violates Buffett's mantra to better be approximately right than precisely wrong. Thirdly, decision-makers tend to ignore the information they receive through rigorous assessment, unless it validates the decision they already intended to make. To address these issues, we take inspiration from the work on nudging in the behavioural economics community, which provides a framework to influence decision makers as effectively as possible. In particular, we need tools and techniques to form a choice architecture tailored to information security. Information security has particular well-known characteristics, which we will exploit to provide sufficient rigour underlying the choice architecture. In particular, the project will establish rigorous mathematical approaches to include uncertainty about unknowns in our analysis, and will derived a theory about the 'value of rigour', allowing experts to judge which elements of rigour pay off further investment. We do our research in connection to one overarching information security issue of high practical importance, namely 'consumerization', that is, the use in the workplace of people's own technologies. This is possibly the main challenge that IT departments face in the coming years, to keep the workplace secure as the boundaries between work and personal life become more blurred. Depending on the enterprise, doing the "right thing" may result in different policies. The project will work with large organisations and SMEs through well-established channels. It will demonstrate the benefits of the advocated choice architecture through a case study in an SME. In very concrete terms, a possible outcome that an end user may experience as result of the project is as follows. Our research in the psychology of choice may reveal that a sense of ownership of data contributes to better security behaviour of employees. Quantitative techniques underlying the choice architecture measure the frequency with which an employee uses the phone for this purpose. Nudging tools are installed both as a mobile phone application and as a desktop tool for the CISO. For example, the tool for employees may be a mobile app that visually displays the consequence of data loss from the perspective of the employee, for instance in terms of how success in their job may be at stake. It makes strategic use of opt-outs and opt-ins to nudge the employee to balance security and productivity based on an underlying predictive model. The nudging tool for the CISO may be a desktop tool that provides the latest data and can be configured for a particular part of the organisation. The CISO tool carefully protects against a false sense of security by presenting the risk of unknowns and helps the CISO understand what data and which underlying assessment or decision-making would help improve the decision-making most.

信息安全决策通常是在没有任何正式或严格的支持的情况下做出的。例如，有关安全漏洞的影响或可能性的数据很少。仔细的预测，例如使用蒙特卡罗模拟，经常被省略。当我们做出信息安全决策时，我们需要更严格的技术，这是很自然的，但也有些容易。在调查员自己的工作中，下列关键挑战仍未解决。首先，严格的方法可能会给决策者带来错误的安全感，因为他们没有完全向决策者披露假设(例如，模型可能假设了受限攻击场景)。其次，人们可能会在没有获得太多信息的情况下投资于完善严格的方面；也就是说，增加的严格的价值可能不会导致更好的决策。这违背了巴菲特的口头禅，即最好是大致正确，而不是完全错误。第三，决策者往往忽视他们通过严格评估获得的信息，除非这些信息证实了他们已经打算做出的决定。为了解决这些问题，我们从行为经济学领域关于推动的工作中获得启发，该工作提供了一个框架，尽可能有效地影响决策者。特别是，我们需要工具和技术来形成为信息安全量身定做的选择架构。信息安全具有特定的众所周知的特征，我们将利用这些特征来为CHOICE体系结构提供足够的严格性。特别是，该项目将建立严格的数学方法，在我们的分析中包括未知的不确定性，并将推导出一个关于“严谨性的价值”的理论，允许专家判断哪些严谨性元素能为进一步的投资带来回报。我们的研究与一个具有高度现实重要性的最重要的信息安全问题有关，即“消费化”，即在工作场所使用人们自己的技术。随着工作和个人生活之间的界限变得更加模糊，这可能是IT部门在未来几年面临的主要挑战，即确保工作场所的安全。根据企业的不同，做正确的事情可能会导致不同的政策。该项目将通过完善的渠道与大型组织和中小企业合作。它将通过一个中小企业的案例研究来展示所倡导的选择体系结构的好处。具体地说，最终用户可能体验到的项目结果如下。我们对选择心理学的研究可能会揭示，对数据的拥有感有助于员工更好的安全行为。基于选择架构的量化技术衡量员工为此使用手机的频率。轻推工具既作为移动电话应用程序安装，也作为CISO的桌面工具安装。例如，针对员工的工具可以是移动应用程序，它从员工的角度直观地显示数据丢失的后果，例如，根据他们的工作成功可能面临的风险。它战略性地利用选择退出和选择加入，以推动员工基于底层预测模型平衡安全性和工作效率。CISO的轻推工具可以是提供最新数据的桌面工具，并且可以针对组织的特定部分进行配置。CISO工具通过呈现未知风险来小心地防止错误的安全感，并帮助CISO了解哪些数据以及哪些基础评估或决策将最大程度地帮助改进决策。