Leveraging behavioral science to mitigate cyber security risk

Most efforts to improve cyber security focus primarily on incorporating new technological approaches in products and processes. However, a key element of improvement involves acknowledging the importance of human behavior when designing, building and using cyber security technology. In this survey paper, we describe why incorporating an understanding of human behavior into cyber security products and processes can lead to more effective technology. We present two examples: the first demonstrates how leveraging behavioral science leads to clear improvements, and the other illustrates how behavioral science offers the potential for significant increases in the effectiveness of cyber security. Based on feedback collected from practitioners in preliminary interviews, we narrow our focus to two important behavioral aspects: cognitive load and bias. Next, we identify proven and potential behavioral science findings that have cyber security relevance, not only related to cognitive load and bias but also to heuristics and behavioral science models. We conclude by suggesting several next steps for incorporating behavioral science findings in our technological design, development and use.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  I. Rock,et al.  A study of memory for visual form. , 1959 .

[3]  H. Simon,et al.  Perception in chess , 1973 .

[4]  E. Tenner Why things bite back : technology and the revenge of unintended consequences , 1996 .

[5]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[6]  P. Slovic Perception of risk. , 1987, Science.

[7]  M. Angela Sasse,et al.  Make mine a quadruple: Strengthening the security of graphical one-time PIN authentication , 2011, 2011 5th International Conference on Network and System Security.

[8]  J. Wixted The psychology and neuroscience of forgetting. , 2004, Annual review of psychology.

[9]  Mike Bond Comments on Gridsure Authentication , 2008 .

[10]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.

[11]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[12]  L. Standing Learning 10000 pictures , 1973 .

[13]  Gary Klein,et al.  Streetlights and Shadows: Searching for the Keys to Adaptive Decision Making , 2009 .

[14]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly , 2008, IEEE Security & Privacy.

[15]  John Long,et al.  A design-oriented framework for modelling the planning and control of multiple task work in secretarial office administration , 1997, Behav. Inf. Technol..

[16]  E. Salas,et al.  Linking Expertise and Naturalistic Decision Making , 2001 .

[17]  Shari Lawrence Pfleeger,et al.  Security Decision Support Challenges in Data Collection and Use , 2010, IEEE Security & Privacy.

[18]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[19]  James P. Titus,et al.  Security and Privacy , 1967, 2022 IEEE Future Networks World Forum (FNWF).

[20]  C. Castelfranchi,et al.  Social Trust : A Cognitive Approach , 2000 .

[21]  Coye Cheshire,et al.  The Emergence of Trust Networks under Uncertainty – Implications for Internet Interactions , 2004 .

[22]  Moshe Zviran,et al.  Cognitive passwords: The key to easy access control , 1990, Comput. Secur..

[23]  A. Tversky,et al.  The framing of decisions and the psychology of choice. , 1981, Science.

[24]  A. Baier Trust and Antitrust , 1986, Ethics.

[25]  Rachelle D. Hollander,et al.  Acceptable Evidence: Science and Values in Risk Management , 1994 .

[26]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[27]  Daniel J Simons,et al.  The effects of individual differences and task difficulty on inattentional blindness , 2009, Psychonomic bulletin & review.

[28]  Jens Riegelsberger,et al.  The mechanics of trust: A framework for research and design , 2005, Int. J. Hum. Comput. Stud..

[29]  Joseph M. Scandura,et al.  Deterministic Theorizing in Structural Learning: Three Levels of Empiricism. , 1971 .

[30]  Rino Falcone,et al.  Principles of trust for MAS: cognitive anatomy, social importance, and quantification , 1998, Proceedings International Conference on Multi Agent Systems (Cat. No.98EX160).

[31]  Marcus A. Maloof,et al.  Detecting Insider Theft of Trade Secrets , 2009, IEEE Security & Privacy.

[32]  Ivan Flechais,et al.  Usable Security: Why Do We Need It? How Do We Get It? , 2005 .

[33]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly: Addressing Bad Actors and Their Actions , 2010, IEEE Transactions on Information Forensics and Security.

[34]  Pratim Datta,et al.  The economics and psychology of consumer trust in intermediaries in electronic markets: the EM-Trust Framework , 2008, Eur. J. Inf. Syst..

[35]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[36]  Gary Klein,et al.  Sources of Power: How People Make Decisions , 2017 .

[37]  J. Lerner,et al.  Portrait of The Angry Decision Maker: How Appraisal Tendencies Shape Anger's Influence on Cognition. , 2006 .

[38]  B. Underwood Interference and forgetting. , 1957, Psychological review.

[39]  Paul Clements,et al.  Software product lines - practices and patterns , 2001, SEI series in software engineering.

[40]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[41]  Shari Lawrence Pfleeger,et al.  Collecting the Dots: Problem Formulation and Solution Elements , 2004 .

[42]  Roberta Calderwood,et al.  Decision models: some lessons from the field , 1991, IEEE Trans. Syst. Man Cybern..

[43]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[44]  D. Ellsberg,et al.  Risk, ambiguity, and decision , 2001 .

[45]  Jens Riegelsberger,et al.  The researcher's dilemma: evaluating trust in computer-mediated communication , 2003, Int. J. Hum. Comput. Stud..

[46]  M. Lévesque Perception , 1986, The Yale Journal of Biology and Medicine.

[47]  C. Chabris,et al.  Gorillas in Our Midst: Sustained Inattentional Blindness for Dynamic Events , 1999, Perception.