Iacovos Kirlappos

“Comply or Die” Is Dead: Long Live Security-Aware Principal Agents

Information security has adapted to the modern collaborative organisational nature, and abandoned “command-and-control” approaches of the past. But when it comes to managing employee’s information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are aware that this “comply or die” approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behaviour. We present an interview analysis of 126 employees’ reasons for not complying with organisational policies, identifying the perceived conflict of security with productive activities as the key driver for non-compliance and confirm the results using a survey of 1256 employees. We conclude that effective problem detection and security measure adaptation needs to be de-centralised - employees are the principal agents who must decide how to implement security in specific contexts. But this requires a higher level of security awareness and skills than most employees currently have. Any campaign aimed at security behaviour needs to transform employee’s perception of their role in security, transforming them to security-aware principal agents.

Towards Usable Generation and Enforcement of Trust Evidence from Programmers’ Intent

Programmers develop code with a sense of purpose and with expectations on how units of code should interact with other units of code. But this intent of programmers is typically implicit and undocumented, goes beyond considerations of functional correctness, and may depend on trust assumptions that programmers make. At present, neither programming languages nor development environments offer a means of articulating such intent in a manner that could be used for controlling whether software executions meet such intentions and their associated expectations. We here study how extant research on trust can inform approaches to articulating programmers’ intent so that it may help with creating trust evidence for more trustworthy interaction of software units.

Familiarity Breeds Con-victims: Why We Need More Effective Trust Signaling

The past 10 years have seen a plethora of research on trust in online interactions. In the late 90s, the issue was whether people would be willing to trust the Internet enough to order and enter their credit card details online. Most of the academic research and commercial advice published then focused on ’how to increase user trust online’ by making websites ’user friendly’ and having a ’personal touch’ e.g. in the form of photos of company staff. Unfortunately, much this advice on how to make your Internet presence trustworthy is now being used by perpetrators of phishing scams, who are using the latest ’trustworthy UI design techniques’ to trick users into revealing authentication credentials and other personal data. A key trust issue that has emerged with the huge popularity of social networking is users’ voluntary (and sometimes ill-judged) disclosure of personal information, and accidental sharing of that data by applications and other users.