Formalization of Influencing in Information Security

Information security decisions typically involve a trade-off between security and productivity. In practical settings it is often the human/user who is best positioned to make this trade-off decision, or in fact has a right to make its own decision (such as in the case of 'bring your own device'). It then may be useful to discuss approaches which aim to influence the user decision, while leaving end responsibility with the user. This is often referred to as nudging the user, or, more generally, as influencing human behavior. The main aim of this paper is to provide a generic formalization to facilitate rigorous quantitative analysis of influencing information security behavior, providing a theoretical basis for studying, optimizing, comparing and evaluating approaches. In particular, we propose an agent-based formalization that captures the human decision maker as well as the influencer and the relationship between them. Within this formalization we will characterize an optimal policy for influencing and formally prove that such policies are optimal. We then embed multi-criteria decision making into our formalism as an approach to model human behavior and to choose between alternatives. We apply our formalization by deriving optimal policies for the selection of WiFi networks, in which the graphical user interface aims to nudge the user to particular security behavior. © 2014 Newcastle University. Printed and published by Newcastle University, Computing Science, Claremont Tower, Claremont Road, Newcastle upon Tyne, NE1 7RU, England. Bibliographical details MORISSET, C., YEVSEYEVA, I., GROs, T., VAN MOORSEL, A. Formalization of Influencing in Information Security [By] C. Morisset, I. Yevseyeva, T. Gros, and A. van Moorsel Newcastle upon Tyne: Newcastle University: Computing Science, 2014. (Newcastle University, Computing Science, Technical Report Series, No. CS-TR-1423)

[1]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[2]  Faruk Gul,et al.  EXPECTED UNCERTAIN UTILITY THEORY , 2014 .

[3]  W. Marsden I and J , 2012 .

[4]  Theodor J. Stewart,et al.  Multiple criteria decision analysis - an integrated approach , 2001 .

[5]  Aad P. A. van Moorsel,et al.  Nudging towards security: developing an application for wireless network selection for android phones , 2015, BCS HCI.

[6]  Marc Busch,et al.  A Survey of Trust and Risk Metrics for a BYOD Mobile Worker World : Third International Conference on Social Eco-Informatics , 2013 .

[7]  L. Bovens The Ethics of Nudge , 2009 .

[8]  Ralph L. Keeney,et al.  Decisions with multiple objectives: preferences and value tradeoffs , 1976 .

[9]  Antonio Lioy,et al.  Dependability in Wireless Networks: Can We Rely on WiFi? , 2007, IEEE Security & Privacy.

[10]  D. Kahneman Thinking, Fast and Slow , 2011 .

[11]  Stephen H. Conrad,et al.  Modeling behavioral considerations related to information security , 2011, Comput. Secur..

[12]  Charles Morisset,et al.  Nudging for Quantitative Access Control Systems , 2014, HCI.

[13]  Ana Ferreira,et al.  Socio-Technical Study on the Effect of Trust and Context When Choosing WiFi Names , 2013, STM.

[14]  G. Kalyanaram,et al.  Nudge: Improving Decisions about Health, Wealth, and Happiness , 2011 .

[15]  Shari Lawrence Pfleeger,et al.  Leveraging behavioral science to mitigate cyber security risk , 2012, Comput. Secur..

[16]  Bongshin Lee,et al.  Nudging People Away from Privacy-Invasive Mobile Apps through Visual Framing , 2013, INTERACT.

[17]  Conrad Heilmann Success conditions for nudges: a methodological critique of libertarian paternalism , 2014 .

[18]  R. L. Keeney,et al.  Decisions with Multiple Objectives: Preferences and Value Trade-Offs , 1977, IEEE Transactions on Systems, Man, and Cybernetics.