Productive Security - Improving security compliance and productivity through measurement

生产安全 - 通过测量提高安全合规性和生产效率

• 批准号: EP/K006517/1
• 负责人: Martina Angela Sasse
• 金额: $ 148.86万
• 依托单位: University College London
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2012
• 资助国家: 英国
• 起止时间: 2012 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FK006517%2F1
• 关键词: Productive; Security; Improving; security; compliance

There has been a growing body of evidence that security policies and controls are not effective because employees either can't, or won't, comply. A key reason for non-compliance is the workload and complexity of security controls chosen - employees simply cannot cope with an ever-increasing number of ever-longer and more complex passwords. Yet most security-decision-makers do not factor the impact on employees, their tasks, and company's business processes, into their decision about which security controls to put in place. Current attempts to 'edcuate' employees about the need for security are largely ineffective because they simply push more information on people who are already overworked.And even in organisations with a high security awareness, non-compliance can be observed because security policy cause excessive friction, or are not agile enough to meet the needs of the business.There exists a strong requirement for a structured, scientifically-grounded decision-making framework into which existing data can be inserted, alongside the key 'missing link' measurements of employee's workload, risk perception, and resulting security behaviours. The project will work with at least two major companies to collect such data, and build a model of that allows security decision-makers to 'calculate' the impact of the security controls on employees and business processes, and balance them against the risk mitigation the security control achieves. A further innovative step in this proposal is that well-chosen security controls could make contributions to the business process beyond security, if the imformation they provide can be used to improve quality of products or services - hence the title of the project.

越来越多的证据表明，安全策略和控制措施是无效的，因为员工不能或不愿遵守。不合规的一个关键原因是所选安全控制的工作量和复杂性-员工根本无法科普越来越多的更长、更复杂的密码。然而，大多数安全决策者在决定实施哪些安全控制时，并没有考虑到对员工、他们的任务和公司业务流程的影响。目前试图“教育”员工对安全的需求基本上是无效的，因为他们只是把更多的信息推给那些已经超负荷工作的人。即使在具有高度安全意识的组织中，也可以观察到不合规的情况，因为安全策略会导致过度摩擦，或者不够灵活，无法满足业务需求。这是一个基于科学的决策框架，可以将现有数据插入其中，以及对员工工作量、风险感知和由此产生的安全行为的关键“缺失环节”测量。该项目将与至少两家大公司合作收集此类数据，并建立一个模型，允许安全决策者“计算”安全控制对员工和业务流程的影响，并将其与安全控制实现的风险缓解进行平衡。本提案中的另一个创新步骤是，如果精心选择的安全控制提供的信息可以用于提高产品或服务的质量，那么它们可以对业务流程做出超越安全的贡献-因此该项目的名称。

项目成果

Awareness is only the first step

意识只是第一步

• 发表时间: 2015
• 作者: Beyer M

Obstacles to the Adoption of Secure Communication Tools

• DOI: 10.1109/sp.2017.65
• 发表时间: 2017-05
• 期刊: 2017 IEEE Symposium on Security and Privacy (SP)
• 作者: Ruba Abu-Salma;M. Sasse;Joseph Bonneau;A. Danilova;Alena Naiakshina;Matthew Smith

Combining Qualitative Coding and Sentiment Analysis: Deconstructing Perceptions of Usable Security in Organisations

结合定性编码和情感分析：解构组织中可用安全的看法

• 发表时间: 2016
• 作者: Becker I

The Security Blanket of the Chat World: An Analytic Evaluation and a User Study of Telegram

聊天世界的安全毯：Telegram 的分析评估和用户研究

• DOI: 10.14722/eurousec.2017.23006
• 发表时间: 2017
• 作者: Abu-Salma R

Finding Security Champions in Blends of Organisational Culture

在组织文化的融合中寻找安全冠军

• DOI: 10.14722/eurousec.2017.23007
• 发表时间: 2017
• 作者: Becker I