Evaluation of the Effectiveness of Risk Assessment and Security Fatigue Visualization Model for Internal E-Crime

As the Internet has become ever more important infrastructure, the threat of electronic crime (e-crime) has increased. Thus, to counter threats to information security, many information security solutions have been introduced and security policies have been made stricter. However, the excessive strictness of these policies may lower the security consciousness of employees and cause the security policy to become a dead letter. The feeling caused by following such strict information security policies is called security fatigue. Security fatigue is gaining attention as a research issue; for example, a workshop was held at SOUPS, one of Usable Security's top conferences, and a report by NIST researchers was published. To contribute to this research, we have proposed a security condition matrix to visualize how IT users feel security fatigue with respect to security countermeasures. The security condition matrix is a two-dimensional model, with the security fatigue degree on the vertical axis and the security countermeasure implementation degree on the horizontal axis. By using this matrix, it becomes possible to visualize how dangerous a person is in terms of information security and facilitate security countermeasures in accordance with each condition on the matrix. In this paper, we evaluated the effectiveness of the proposed security fatigue model for internal e-crime.

[1]  Vijay H. Kothari,et al.  Beliefs about Cybersecurity Rules and Passwords: A Comparison of Two Survey Samples of Cybersecurity Professionals Versus Regular Users , 2016, WSF@SOUPS.

[2]  Lawrence E. Cohen,et al.  Social Change and Crime Rate Trends: A Routine Activity Approach , 1979 .

[3]  Kat Krol,et al.  Applying Cognitive Control Modes to Identify Security Fatigue Hotspots , 2016, WSF@SOUPS.

[4]  Atsushi Kanai,et al.  A Concept Proposal on Modeling of Security Fatigue Level , 2017, 2017 5th Intl Conf on Applied Computing and Information Technology/4th Intl Conf on Computational Science/Intelligence and Applied Informatics/2nd Intl Conf on Big Data, Cloud Computing, Data Science (ACIT-CSII-BCD).

[5]  Steven Furnell,et al.  Recognising and addressing ‘security fatigue’ , 2009 .

[6]  Gary McGraw Security Fatigue? Shift Your Paradigm , 2014, Computer.

[7]  D. Cressey Other people's money , 1953 .

[8]  Mary Frances Theofanos,et al.  Security Fatigue , 2016, IT Professional.

[9]  David Hillson,et al.  Use a Risk Breakdown Structure (RBS) to Understand Your Risks , 2002 .