Aiding information security decisions with human factors using quantitative and qualitative techniques

Phd ThesisThe Information Security Decision Making Process is comprised of an extremely complex and dynamic set of sub-tasks, sub-goals and inter-disciplinary practices. In order to be effective and appropriate, this process must balance both the requirements of the stakeholder as well as the users within the system. Without careful consideration of users’ behaviours and preferences, interventions are often seen as obstacles towards productivity and subsequently circumvented or simply not adhered to. The approach detailed herein requires an intimate knowledge of both Information Security and Human Behaviour. An effective security policy must adequately protect a given set of assets (human and non-human) or systems as well as preserve maximal productivity. Companies rely on their Intellectual Property Rights which are often stored in a digital format. This presents a plethora of issues regarding security, access management and locality (whether on or off the premises). Furthermore, there is the added complexity of employees and how they operate within this environment (a subset of compliance, competence and policy). With the continued increase in consumerisation, more specifically the rise of Bring Your Own Device, there is a significant threat towards data security that persists outside of the typical working environment. This trend enables employees to access and transfer corporate assets remotely but in doing so creates a conflict over identity, ownership and data management. The governance of these activities creates an extremely complex problem space which requires the need to balance these requirements relying on an accurate assessment of risk, identification of security vulnerabilities and knowledge pertaining to the behaviour of employees. The risks to company assets can be estimated by the analysis of the following issues: • Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets. • Vulnerabilities. How susceptible your assets are to attack. • Impact. The magnitude of the potential loss or the seriousness of the event. The ability to quantify and accurately represent these variables is critical in developing, implementing and supporting a successful security policy. The dissertation is structured as follows. Chapter 1 provides an abstract overview of the problem space and highlights our aims, objectives and publications. Chapter 2 details an in-depth literature review of the cross-disciplinary problem space. This involves both the analysis of industry standards, practices and reports as well as a summary of academic literature pertaining to theoretical frameworks and simulations for discussion. Chapter 3 introduces our problem space and documents the rationale for designing our methodology. Each successive chapter (4, 5, & 6) documents a separate investigative strategy for populating specific data sets with respect to the behaviours and practices highlighted from our pilot study and CISO interaction. This provides the rationale behind each approach as well as a documented implementation and evaluation of our experimental design with reference to publications in the field. Chapter 7 documents our modelling strategy and highlights the extensions we propose to the BPMN 2.0 formalism. Chapter 8 concludes our work with reference to our contributions, limitations and the direction of future study

Personality and Social Framing in Privacy Decision-Making: A Study on Cookie Acceptance

Despite their best intentions, people struggle with the realities of privacy protection and will often sacrifice privacy for convenience in their online activities. Individuals show systematic, personality dependent differences in their privacy decision making, which makes it interesting for those who seek to design ‘nudges’ designed to manipulate privacy behaviors. We explore such effects in a cookie decision task. Two hundred and ninety participants were given an incidental website review task that masked the true aim of the study. At the task outset, they were asked whether they wanted to accept a cookie in a message that either contained a social framing ’nudge’ (they were told that either a majority or a minority of users like themselves had accepted the cookie) or contained no information about social norms (control). At the end of the task, participants were asked to complete a range of personality assessments (impulsivity, risk-taking, willingness to self-disclose and sociability). We found social framing to be an effective behavioral nudge, reducing cookie acceptance in the minority social norm condition. Further, we found personality effects such that those scoring highly on risk taking and impulsivity were significantly more likely to accept the cookie. Finally, we found that the application of a social nudge could attenuate the personality effects of impulsivity and risk-taking. We explore the implications for those working in the privacy by-design space

Addressing consumerisation of IT risks with nudging

In this work we address the main issues of Information Technology (IT) consumerisation that are related to security risks, and vulnerabilities of devices used within Bring Your Own Device (BYOD) strategy in particular. We propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions. Several examples of nudging are considered for different tested and potential scenarios in security context

Addressing consumerization of IT risks with nudging

In this work we address the main issues of Information Technology (IT) consumerization that are related to security risks, and vulnerabilities of devices used within Bring Your Own Device (BYOD) strategy in particular. We propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behavior influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behavior by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions. Several examples of nudging are considered for different tested and potential scenarios in security context

Addressing consumerisation of IT risks with nudging

In this work we address the main issues of Information Technology (IT) consumerisation that are related to security risks, and vulnerabilities of devices used within Bring Your Own Device (BYOD) strategy in particular. We propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions. Several examples of nudging are considered for different tested and potential scenarios in security context

Addressing consumerization of IT risks with nudging

In this work we address the main issues of Information Technology (IT) consumerization that are related to security risks, and vulnerabilities of devices used within Bring Your Own Device (BYOD) strategy in particular. We propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behavior influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behavior by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions. Several examples of nudging are considered for different tested and potential scenarios in security context

Chapter F of the International Code of Nomenclature for algae, fungi, and plants as approved by the 11th International Mycological Congress, San Juan, Puerto Rico, July 2018

A revised version of Chapter F of the International Code of Nomenclature for algae, fungi, and plants is presented, incorporating amendments approved by the Fungal Nomenclature Session of the 11th International Mycological Congress held in San Juan, Puerto Rico in July 2018. The process leading to the amendments is outlined. Key changes in the San Juan Chapter F are (1) removal of option to use a colon to indicate the sanctioned status of a name, (2) introduction of correctability for incorrectly cited identifiers of names and typifications, and (3) introduction of option to use name identifiers in place of author citations. Examples have been added to aid the interpretation of new Articles and Recommendations, and Examples have also been added to the existing Art. F.3.7 concerning the protection extended to new combinations based on sanctioned names or basionyms of sanctioned names (which has been re-worded), and to Art. F.3.9 concerning typification of names accepted in the sanctioning works

Taxonomy and nomenclature in palaeopalynology: basic principles, current challenges and future perspectives

Effective communication of taxonomic concepts is crucial to meaningful application in all biological sciences, and thus the development and following of best practices in taxonomy and the formulation of clear and practical rules of nomenclature underpin a wide range of scientific studies. The International Code of Nomenclature for algae, fungi and plants (the Code), currently the Shenzhen Code of 2018, provides these rules. Although early versions of the Code were designed mainly with extant plants in mind, the Code has been increasingly used for fossil plants and, in recent decades, for organic-walled microfossils, the study of which is called palaeopalynology, or simply palynology. However, rules embodied in the Code do not fully reflect the needs and practices of this discipline; and taxonomic practices between fossil applications, especially in palynology, have tended to diverge from practices for extant plants. Differences in these rules and practices present specific challenges. We therefore review the Shenzhen Code as it applies to palynology, clarifying procedures and recommending approaches based on best practices, for example, in the designation and use of nomenclatural types. The application of nomenclatural types leads to taxonomic stability and precise communication, and lost or degraded types are therefore problematic because they remove the basis for understanding a taxon. Such problems are addressed using examples from the older European literature in which type specimens are missing or degraded. A review of the three most important conventions for presenting palynological taxonomic information, synonymies, diagnoses/descriptions and illustrations, concludes with recommendations of best practices. Palynology continues to play an important role in biostratigraphy, palaeoenvironmental analyses, and evolutionary studies, and is contributing increasingly to our understanding of past climates and ocean systems. To contribute with full potential to such applied studies, consistent communication of taxonomic concepts, founded upon clear rules of nomenclature, is essential

Consumerisation of IT: Mitigating risky user actions and improving productivity with nudging

In this work we address the main issues of IT consumerisation that are related to security risks, and propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security related decisions