L. Jean Camp

Mental models of security risks

In computer security, risk communication refers to informing computer users about the likelihood and magnitude of a threat. Efficacy of risk communication depends not only on the nature of the risk, but also on the alignment between the conceptual model embedded in the risk communication and the users mental model of the risk. The gap between the mental models of security experts and non-experts could lead to ineffective risk communication. Our research shows that for a variety of the security risks self-identified security experts and non-experts have different mental models. We propose that the design of the risk communication methods should be based on the non-expert mental models.

The code of elections

The disparity between the code of election law and the code that comprises election equipment reflects inherent problems in the translation of social policies into computer procedures and overseeing processes.

Mitigating Inadvertent Insider Threats with Incentives

Inadvertent insiders are trusted insiders who do not have malicious intent (as with malicious insiders) but do not responsibly managing security. The result is often enabling a malicious outsider to use the privileges of the inattentive insider to implement an insider attack. This risk is as old as conversion of a weak user password into root access, but the term inadvertent insider is recently coined to identify the link between the behavior and the vulnerability. In this paper, we propose to mitigate this threat using a novel risk budget mechanism that offers incentives to an insider to behave according to the risk posture set by the organization. We propose assigning an insider a risk budget, which is a specific allocation of risk points, allowing employees to take a finite number of risk-seeking choice. In this way, the employee can complete her tasks without subverting the security system, as with absolute prohibitions. In the end, the organization penalizes the insider if she fails to accomplish her task within the budget while rewards her in the presence of a surplus. Most importantly. the risk budget requires that the user make conscious visible choices to take electronic risks. We describe the theory behind the system, including specific work on the insider threats. We evaluated this approach using human-subject experiments, which demonstrate the effectiveness of our risk budget mechanism. We also present a game theoretic analysis of the mechanism.

Risk communication design: video vs. text

There are significant differences between older and younger adults in terms of risk perception and risk behaviors offline. The previously unexplored existence of this dissimilitude online is the motivation for our work. What are the risk perceptions of older adults? How are these correlated with the classic dimensions of risk perception offline? Can we leverage episodic memory, particularly relevant for older adults, to increase the efficacy of risk communication? We conduct a survey based experiment with two groups: video (n=136) and text (113). We find that leveraging episodic memory using video risk communication can improve the ability of elders to avoid phishing attacks and downloading malware. The applicability of the dimensions of risk were different based not only the risk but also the mode of risk communication.

Reconceptualizing the Role of Security User

Abstract The Internet is not the only critical infrastructure that relies on the participation of unorganized and technically inexpert end users. Transportation, health, waste management, and disaster preparedness are other areas where cooperation between unorganized citizens who lack experience with the domain has increased resiliency, reduced social costs, and helped meet shared goals. Theories of community-based production and management of the commons explain this type of cooperation, both offline and online. This essay examines these two complementary approaches to organizing the cybercitizen for cybersecurity. Cybersecurity discourse has reasonably focused on centralized parties and network operators. From domain name registrars to network service providers, solutions are sought through incentives, regulation, and even law enforcement. However great the ability of these centralized entities to implement change, the end user plays a crucial role. The Internet must remain open to enable innovation and diffusion of innovation; thus, the end user will continue to be important. What is the role of the citizen in cybersecurity? What socio-technical characteristics might enable a system that encourages and empowers users to create a secure infrastructure?

Threat analysis of online health information system

Electronic health records are increasingly used to enhance availability, recovery, and transfer of health records. Newly developed online health systems such as Google-Health create new security and privacy risks. In this paper, we elucidate a clear threat model for online health information systems. We distinguish between privacy and security threats. In response to these risks, we propose a traitor-tracing solution, which embeds proof to trace an attacker who leaks data from a repository. We argue that the application of traitor-tracing techniques to online health systems can align incentives and decrease risks.

Analysis of ecrime in crowd-sourced labor markets: Mechanical turk vs. freelancer

Research in the economics of security has contributed more than a decade of empirical findings to the understanding of the microeconomics of (in)security, privacy, and ecrime. Here we build on insights from previous macro-level research on crime, and microeconomic analyses of ecrime to develop a set of hypotheses to predict which variables are correlated with national participation levels in crowd-sourced ecrime. Some hypotheses appear to hold, e.g. Internet penetration, English literacy, size of the labor market, and government policy all are significant indicators of crowd-sourced ecrime market participation. Greater governmental transparency, less corruption, and more consistent rule of law lower the participation rate in ecrime. Other results are counter-intuitive. GDP per person is not significant, and, unusually for crime, a greater percentage of women does not correlate to decreased crime. One finding relevant to policymaking is that deterring bidders in crowd-sourced labor markets is an ineffective approach to decreasing demand and in turn market size.

Online Promiscuity: Prophylactic Patching and the Spread of Computer Transmitted Infections

There is a long history of studying the epidemiology of computer malware. Much of this work has focused on the behaviors of specific viruses, worms, or botnets. In contrast, we seek to utilize an extension of the simple SIS model to examine the efficacy of various aggregate patching and recovery behaviors. We use the SIS model because we are interested in the global prevalence of malware, rather than the dynamics, such as recovery, covered in previous work. We consider four populations: vigilant and non-vigilant with infected or not for both sets. Using our model we show that small increases in patch rates and recovery speed are the most effective approaches to reduce system-wide vulnerabilities due to unprotected computers. Our results illustrate that a public health approach may be feasible, requiring a subpopulation adopt prophylactic actions rather than near-universal immunization.

Factors in an end user security expertise instrument

Purpose n n n n nThe purpose of this study is to identify factors that determine computer and security expertise in end users. They can be significant determinants of human behaviour and interactions in the security and privacy context. Standardized, externally valid instruments for measuring end-user security expertise are non-existent. n n n n nDesign/methodology/approach n n n n nA questionnaire encompassing skills and knowledge-based questions was developed to identify critical factors that constitute expertise in end users. Exploratory factor analysis was applied on the results from 898 participants from a wide range of populations. Cluster analysis was applied to characterize the relationship between computer and security expertise. Ordered logistic regression models were applied to measure efficacy of the proposed security and computing factors in predicting user comprehension of security concepts: phishing and certificates. n n n n nFindings n n n n nThere are levels to peoples’ computer and security expertise that could be reasonably measured and operationalized. Four factors that constitute computer security-related skills and knowledge are, namely, basic computer skills, advanced computer skills, security knowledge and advanced security skills, and these are identified as determinants of computer expertise. n n n n nPractical implications n n n n nFindings from this work can be used to guide the design of security interfaces such that it caters to people with different expertise levels and does not force users to exercise more cognitive processes than required. n n n n nOriginality/value n n n n nThis work identified four factors that constitute security expertise in end users. Findings from this work were integrated to propose a framework called Security SRK for guiding further research on security expertise. This work posits that security expertise instrument for end user should measure three cognitive dimensions: security skills, rules and knowledge.

Helping You Protect You

Guest editors M. Angela Sasse and Charles C. Palmer speak with security practitioners about what companies are doing to keep customers secure, and what users can do to stay safe.