System design considerations for risk perception

The perception of risk is a driver for security analysts' decision making. However, security analysts may have conflicting views of a risk based on personal, system and environmental factors. This difference in perception and opinion, may impact effective decision making. In this paper, we propose a model that highlights areas contributing to the perception of risk in a socio-technical environment and their implication to system design. We validate the model through the use of a hypothetical scenario, which is grounded in both the literature and empirical data.

[1]  E. Reed The Ecological Approach to Visual Perception , 1989 .

[2]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[3]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[4]  D. Norman The Design of Everyday Things: Revised and Expanded Edition , 2013 .

[5]  Russ Miles,et al.  Learning UML 2.0 , 2006 .

[6]  John R. Boyd,et al.  The Essence of Winning and Losing , 2012 .

[7]  Anind K. Dey,et al.  Understanding and Using Context , 2001, Personal and Ubiquitous Computing.

[8]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[9]  D. Gentner Mental Models, Psychology of , 2001 .

[10]  Donald A. Norman,et al.  Affordance, conventions, and design , 1999, INTR.

[11]  David Woods,et al.  Situation Awareness: A Critical But Ill-Defined Phenomenon , 1991 .

[12]  Shamal Faily,et al.  A meta-model for usable secure requirements engineering , 2010, SESS '10.

[13]  John M. Carroll,et al.  Mental models in human-computer interaction: research issues about what the user of software knows , 1987 .

[14]  Laurie A. Williams,et al.  Towards a framework to measure security expertise in requirements analysis , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[15]  W. Keith Edwards,et al.  Security automation considered harmful? , 2008, NSPW '07.

[16]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[17]  Celeste Lyn Paul,et al.  A Taxonomy of Cyber Awareness Questions for the User-Centered Design of Cyber Situation Awareness , 2013, HCI.

[18]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, CHI Extended Abstracts.

[19]  Daniel R. Tesone,et al.  Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts , 2005 .

[20]  M. Daily,et al.  A review of time critical decision making models and human cognitive processes , 2006, 2006 IEEE Aerospace Conference.

[21]  M. Just,et al.  The framing effect and risky decisions: Examining cognitive functions with fMRI , 2005 .

[22]  M. Angela Sasse,et al.  Safe and sound: a safety-critical approach to security , 2001, NSPW '01.

[23]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[24]  Christopher D. Wickens,et al.  A model for types and levels of human interaction with automation , 2000, IEEE Trans. Syst. Man Cybern. Part A.

[25]  G. Klein,et al.  Decision Making in Action: Models and Methods , 1993 .

[26]  Daniel Kahneman,et al.  Availability: A heuristic for judging frequency and probability , 1973 .

[27]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[28]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[29]  Robert Biddle,et al.  Even Experts Deserve Usable Security: Design guidelines for security management systems , 2007 .

[30]  Dominic D P Johnson,et al.  The Evolution of Error: Error Management, Cognitive Constraints, and Adaptive Decision-making Biases , 2022 .

[31]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[32]  L. Bainbridge Ironies of Automation , 1982 .