Shari Lawrence Pfleeger

Leveraging behavioral science to mitigate cyber security risk

Most efforts to improve cyber security focus primarily on incorporating new technological approaches in products and processes. However, a key element of improvement involves acknowledging the importance of human behavior when designing, building and using cyber security technology. In this survey paper, we describe why incorporating an understanding of human behavior into cyber security products and processes can lead to more effective technology. We present two examples: the first demonstrates how leveraging behavioral science leads to clear improvements, and the other illustrates how behavioral science offers the potential for significant increases in the effectiveness of cyber security. Based on feedback collected from practitioners in preliminary interviews, we narrow our focus to two important behavioral aspects: cognitive load and bias. Next, we identify proven and potential behavioral science findings that have cyber security relevance, not only related to cognitive load and bias but also to heuristics and behavioral science models. We conclude by suggesting several next steps for incorporating behavioral science findings in our technological design, development and use.

Guest Editors' Introduction: Shouldn't All Security Be Usable?

Usability is defined as the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use. It is more than a well-designed user interface.

Guest Editors' Introduction: Software as a Business

Software plays an increasingly important role in most aspects of business. Many new business models for software-intensive enterprises have arisen in the last decade, ranging from selling software as a service to off shoring and crowd sourcing. Governments and standards bodies have also intervened to influence business models for stimulating growth in the industry. The software business has also had ancillary effects including the creation of new sectors such as innovation management. The management of intellectual property rights has become a more critical issue as software is embedded in more and more products. The debate about whether the software business is fundamentally different from others will continue, even as the software business continues to transform itself.

The Eyes Have It: Surveillance and How It Evolved

This article presents a brief history of surveillance, technological and otherwise. It includes a discussion of some of the issues technologists should consider when building software and hardware to capture and analyze personal characteristics, habits, movements, and more.

Does Profiling Make Us More Secure

“Profiling” means making predictions about likely user behavior based on collected characteristics and activities. Shari Lawrence Pfleeger and Marc Rogers brought together a group of researchers from a variety of disciplines to discuss whether profiling and prediction actually make us secure.

Security Measurement Steps, Missteps, and Next Steps

Over the past decade, this magazine has focused on a wide variety of important issues, each of which contributes not only to our understanding of security but also to innovative and effective solutions to security problems. Measurement has frequently held star and supporting roles in many of these articles. The author describes the past, present, and future for measurements role in security.

Technology, Transparency, and Trust

Over time, device control and transparency have continued to decrease. As users and consumers, we have a responsibility to think about how technology fits in our lives and what we want it to accomplish. We also have a responsibility to think about secondary effects, such as when and whether allowing our devices to monitor and track us is acceptable. These are important questions to ask at a time when enthusiasm for functionality can lead to a rush to market before the security and privacy implications are fully realized, assessed, and addressed.

Ramsey Theory: Learning about the Needle in the Haystack

Results from number theory show us that even in seemingly random sets, we can find order; total disorder is impossible. Ramseys theorem can help broaden our perspective in cybersecurity by showing us how to use the emergent order to find patterns and to design systems to avoid certain patterns.

A Key to the Castle

Understanding and providing incentives for good security behavior can be more effective and welcome than disruptive or constraining technology.