The Role of Human Factors/Ergonomics in the Science of Security

Objective: The overarching goal is to convey the concept of science of security and the contributions that a scientifically based, human factors approach can make to this interdisciplinary field. Background: Rather than a piecemeal approach to solving cybersecurity problems as they arise, the U.S. government is mounting a systematic effort to develop an approach grounded in science. Because humans play a central role in security measures, research on security-related decisions and actions grounded in principles of human information-processing and decision-making is crucial to this interdisciplinary effort. Method: We describe the science of security and the role that human factors can play in it, and use two examples of research in cybersecurity—detection of phishing attacks and selection of mobile applications—to illustrate the contribution of a scientific, human factors approach. Results: In these research areas, we show that systematic information-processing analyses of the decisions that users make and the actions they take provide a basis for integrating the human component of security science. Conclusion: Human factors specialists should utilize their foundation in the science of applied information processing and decision making to contribute to the science of cybersecurity.

[1]  D. Kahneman Thinking, Fast and Slow , 2011 .

[2]  Paul E. Johnson,et al.  Detecting deception: adversarial problem solving in a low base-rate world , 2001, Cogn. Sci..

[3]  Richard J. Harknett,et al.  The New Policy World of Cybersecurity , 2011 .

[4]  Ben Shneiderman,et al.  Handbook of Human Factors and Ergonomics (4th ed.) , 2012, Int. J. Hum. Comput. Interact..

[5]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[6]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[7]  Kevin B. Bennett,et al.  Display and Interface Design: Subtle Science, Exact Art , 2011 .

[8]  Lorrie Faith Cranor,et al.  Privacy as part of the app decision-making process , 2013, CHI.

[9]  Robert W Proctor,et al.  Cumulative knowledge and progress in human factors. , 2010, Annual review of psychology.

[10]  V. Reyna,et al.  Communicating Numerical Risk: Human Factors That Aid Understanding in Health Care. , 2013, Review of human factors and ergonomics.

[11]  S. Grazioli Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception Over the Internet , 2004 .

[12]  Ninghui Li,et al.  Dimensions of Risk in Mobile Applications: A User Study , 2015, CODASPY.

[13]  Brenda K. Wiederhold,et al.  The Role of Psychology in Enhancing Cybersecurity , 2014, Cyberpsychology Behav. Soc. Netw..

[14]  Robert W. Proctor,et al.  Influence of the Privacy Bird® user agent on user trust of different web sites , 2010, Comput. Ind..

[15]  J. G. Hollands,et al.  Engineering Psychology and Human Performance , 1984 .

[16]  Bernhard Hommel,et al.  Dancing in the dark: no role for consciousness in action control , 2013, Front. Psychol..

[17]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[18]  Michael W. Boyce,et al.  Human Performance in Cybersecurity , 2011 .

[19]  Cleotilde Gonzalez,et al.  Cyber Situation Awareness , 2013, Hum. Factors.

[20]  Mohammad Zulkernine,et al.  Information Source-Based Classification of Automatic Phishing Website Detectors , 2011, 2011 IEEE/IPSJ International Symposium on Applications and the Internet.

[21]  N. Swapna Goud,et al.  Effective Risk Communication for Android Apps , 2017 .

[22]  Álvaro Herrero,et al.  Neural visualization of network traffic data for intrusion detection , 2011, Appl. Soft Comput..

[23]  Bongshin Lee,et al.  Nudging People Away from Privacy-Invasive Mobile Apps through Visual Framing , 2013, INTERACT.

[24]  Robert W. Proctor,et al.  Human Factors in Information Security and Privacy , 2012 .

[25]  Jonathan Evans,et al.  Science Perspectives on Psychological , 2022 .

[26]  A. Tversky,et al.  Prospect theory: analysis of decision under risk , 1979 .

[27]  Christopher D. Wickens,et al.  Multiple Resources and Mental Workload , 2008, Hum. Factors.

[28]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[29]  Alice F. Healy,et al.  Empirically Valid Principles of Training , 2012 .

[30]  S. Wiedenbeck,et al.  Human Factors and Information Security , 2004 .

[31]  James C. Christensen,et al.  Human Factors in Cyber Warfare II , 2014 .

[32]  Ninghui Li,et al.  Generating Summary Risk Scores for Mobile Applications , 2014, IEEE Transactions on Dependable and Secure Computing.

[33]  Sushil K. Sharma,et al.  Handbook of Research on Information Security and Assurance , 2008 .

[34]  Christopher D. Wickens,et al.  Effort in Human Factors Performance and Decision Making , 2014, Hum. Factors.

[35]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[36]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[37]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[38]  Ninghui Li,et al.  Influence of Risk/Safety Information Framing on Android App-Installation Decisions , 2015 .

[39]  Alice F. Healy,et al.  Training Cognition : Optimizing Efficiency, Durability, and Generalizability , 2012 .