Supporting Security Policy with Effective Digital Intervention (SSPEDI)

通过有效的数字干预支持安全策略 (SSPEDI)

• 批准号: EP/P011829/1
• 负责人: Matthew Collinson
• 金额: $ 96.41万
• 依托单位: University of Aberdeen
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2017
• 资助国家: 英国
• 起止时间: 2017 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FP011829%2F1
• 关键词: Supporting; Security; Policy; Effective; Digital

The behaviour of people is known to be critical to the security of organizations across all sectors of the economy. As users of IT systems, their action, or inaction, can create cyber security vulnerabilities. For example, users can be tempted to give away their authentication credentials (by phishing), to install malign software (malware), choose weak or inadequate passwords, or they may fail to install security patches, to scan computers for viruses, or to make secure backups of critical data. Organizations design security policies which users are supposed to follow, for example, instructing them not to give away their authentication (login) credentials, or not to open certain kinds of attachments sent in unsolicited emails. However, in practice, managers find it very difficult to encourage users to follow policy. This project will investigate effective ways to improve security communications with users, to enable them to understand security risks, and to persuade them to comply with policy. Our hypothesis is that to be most effective, communications and policy implementations must take into account individual personalities and motivations. Technological support is therefore required to support security communications and security persuasion so that it can scale up to large organizations. We propose to transfer ideas and knowledge from the existing academic field of persuasive technologies and digital behaviour interventions, and apply them to the user security compliance problem. We will build, and trial, real technologies that implement persuasive strategies in real user security scenarios. These scenarios will be selected in partnership with industrial security practitioners. The project takes a broad, interdisciplinary view of the roots of the user compliance challenge, and draws additionally on expert knowledge from the fields of psychology, behavioural decision, security, sentiment analysis and argumentation in search of solutions.

众所周知，人们的行为对经济各部门各组织的安全至关重要。作为IT系统的用户，他们的行动或不作为可能会造成网络安全漏洞。例如，用户可能会受到诱惑，放弃他们的身份验证凭据(通过网络钓鱼)，安装恶意软件(恶意软件)，选择薄弱或不适当的密码，或者他们可能无法安装安全补丁、扫描计算机病毒或对关键数据进行安全备份。组织设计了用户应该遵循的安全策略，例如，指示用户不要泄露其身份验证(登录)凭据，或不要打开通过未经请求的电子邮件发送的某些类型的附件。然而，在实践中，管理者发现很难鼓励用户遵守政策。该项目将研究改善与用户的安全通信的有效方法，使他们能够了解安全风险，并说服他们遵守政策。我们的假设是，要达到最有效的效果，沟通和政策实施必须考虑到个人的个性和动机。因此，需要技术支持来支持安全通信和安全劝说，以便能够扩大到大型组织。我们建议从现有的说服技术和数字行为干预的学术领域转移思想和知识，并将它们应用于用户安全合规问题。我们将构建并试验在真实用户安全场景中实施说服性策略的真实技术。这些情景将与工业安全从业人员合作进行选择。该项目对用户遵约挑战的根源采取了广泛的跨学科观点，并进一步借鉴了心理学、行为决策、安全、情绪分析和辩论等领域的专家知识，以寻求解决办法。

项目成果

Risks and Security of Internet and Systems. CRiSIS 2020. Lecture Notes in Computer Science, vol 12528.

互联网和系统的风险和安全。

• 发表时间: 2021
• 作者: Al-Hadhrami N

Automatically Labelling Sentiment-Bearing Topics with Descriptive Sentence Labels

• DOI: 10.1007/978-3-319-59569-6_38
• 发表时间: 2017-06
• 作者: M. Barawi;Chenghua Lin;Advaith Siddharthan

Tell Me How to Survey: Literature Review Made Simple with Automatic Reading Path Generation

告诉我如何调查：通过自动生成阅读路径使文献综述变得简单

• DOI: 10.48550/arxiv.2110.06354
• 发表时间: 2021
• 作者: Ding J

How can persuasion reduce user cyber security vulnerabilities?

如何说服减少用户网络安全漏洞？

• 发表时间: 2018
• 作者: John Paul Vargheese

Policies to Regulate Distributed Data Exchange

监管分布式数据交换的政策

• 发表时间: 2018
• 作者: Cauvin S.R.