More often than not, it is becoming increasingly evident that the weakest links in an information-security chain are the people because human nature and social interactions are much easier to manipulate than targeting the complex technological protections of information systems. Concerns and threats regarding human and social factors in organizational security are increasing at an exponential rate and shifting the information security paradigm. This book brings together publications on very important, timely and critical issues of managing social and human aspects of information security. The book aims to provide immense scholarly value to and contribution in information technology discipline. Despite being an emerging threat to information security there is dearth of quality literature in the area. The key objective is to fill a gap in existing literature on human and social dimensions of information security by providing the readers one comprehensive source of latest trends, issues and research in the field. The book provides high-quality research papers and industrial and practice articles on social and human aspects of information security. . The book covers topics both on theoretical (research) aspects of securing information systems and infrastructure from social engineering attacks and real-world implications and implementations (practice) of the research.
BEYOND TECHNOLOGY AND POLICY, TOWARDS COMPREHENSIVE INFORMATION SECURITY
With the abundance of confidential information that organizations must protect, and with consumer fraud and identity theft at an all time high, security has never been as important as it is today for businesses and individuals alike. An attacker can bypass millions of dollars invested in technical and non-technical protection mechanisms by exploiting the human and social aspects of information security. While information systems deal with human interactions and communications through use of technology, it is extremely infeasible to separate the human elements from the technological ones. Because of this, organizations and individuals alike must be equipped with the knowledge of what information can be used to initiate attacks, how information divulged could precipitate further attacks and compromise their states of systems, and how to discern and mitigate against such attacks. Businesses spend billions of dollars annually on expensive technology for information systems security, while overlooking one of the most glaring vulnerabilities – their employees and customers (Orgill, 2004; Schneier, 2000). Research has indicated that human error makes up as much as 65% of incidents that cause economic loss for a company and that security incidents caused by external threats such as computer hackers happen only 3% or less of the time (Lewis, 2003; McCauley-Bell & Crumpton, 1998). Information security cannot be achieved purely from a technology standpoint alone but from understanding human behavior and the social context in which humans are embedded (Dhillon, 2007).
The 2007 CSI Computer Crime and Security Survey reports that insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59% and 52% of respondents reporting each respectively. The survey also finds that there have been too many data breaches driven by simple human error and carelessness. On a new question that was added in this year’s survey, asking what percentage of the security budget was allocated for awareness training. Almost half—48 percent—spend less than 1 percent of their security dollars on awareness programs. For the first time this year the survey also asked about measures organizations had adopted to gauge the effectiveness of their security awareness training programs(CSI/FBI Survey, 2007). The survey shows that 18 percent of respondents don’t use awareness training, implying that 4 out of 5 respondent organizations do in fact engage in training their employees about security risks and appropriate handling of sensitive data (CSI/FBI Survey, 2007). Although a strong majority performs this kind of training, many of the respondent organizations (35 percent) make no effort to measure the effect of this training on the organization. A quarter of them learn anecdotally from reported staff experiences; roughly one third (32 percent) administer tests to see whether their lessons have taken hold (CSI/FBI Survey, 2007). Only about one in ten (13 percent) of the respondents say they test the effectiveness of the training by checking whether employees can detect internally generated social engineering attacks (CSI/FBI Survey, 2007). These numbers quite clearly indicate that human and social elements are not given enough consideration in design and implementation of security programs. While only small portion (20%) are conducting security training and awareness programs, even fewer (10%) are actually measuring effectiveness of the programs. All the same, we see that damages and threats from non-technical and non-procedural elements of information security are higher than ever. No system is immune to human ingenuity. Effective information security must be culturally ingrained and backed by strategies and processes that are continually tested, taught, measured and refined (Lineberry, 2007). Businesses spend a significant portion of their annual information technology budgets on high-tech computer security. But the firewalls, vaults, bunkers, locks and biometrics those dollars buy can be pierced by attackers targeting untrained, uninformed or unmonitored users. Some of the best tools for fighting social engineering attacks are security awareness training and social engineering testing (Lineberry, 2007), but as we just saw organizations have a long way to implement effective information security awareness program and also measure its performance. Research by Belsis, Spyros and Kiountouzis (2005) also suggest that although successful security management depends on the involvement of users and stakeholders that knowledge on information systems security issues may be lacking resulting in reduced participation.
Reformed computer criminal and security consultant Kevin Mitnick popularized the term social engineering, pointing out that it's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in (Mitnick and Kasperavièius, 2004). He claims it to be the single most effective method in his arsenal. In another recent survey of black hat hackers social engineering ranked as the third most widely used technique (Wilson, 2007). The survey results indicate that 63% of hackers use social engineering, while 67% use Sniffers, 64% use SQL injection and 53% use cross site scripting. Social engineering is an attack to break into a corporate network and applications by manipulating human and social elements. Along with issues surrounding social engineering, there are several other facets to human and social elements such as usability issues, organizational aspects, social and psychological aspects and privacy issues that the book covers in detail. The book brings to readers an excellent compilation of high quality and relevant articles on technology, processes, management, governance, research and practices on human and social aspects of information security. The book brings together articles from researchers and practitioners in the financial, legal, technology and information security fields through original papers on all aspects of roles and effects of human and social dimensions of information security.
ORGANIZATION OF THE BOOK
The nineteen chapters of the book are organized into 4 sections based on following broad themes:
I: Human and Psychological Aspects
II: Social and Cultural Aspects
III: Usability Issues
IV: Organizational Aspects
The section on Human and Psychological Aspects focuses on some of the most important issues in information security that relate to human, behavioral and psychological aspects. In this section, we explore some of the interesting phenomena associated with password authentication and how human and social factors interplay with passwords in determining security of a system or environment; particularly human errors and human memory characteristics. We also look into concept of social psychology, and what forms of deception humans are prone to fall for, while providing a background of the area and a thorough description of the most common and important influence techniques. This section also presents a case study detailing how exploiting weaknesses in human behavior can circumvent existing technical and procedural controls. Another case study is presented to raise awareness of cognitive and human factors issues that influence user behaviour when interacting with systems and making decisions with security consequences. Lastly, an action research case study is presented in this section that illustrates that quality standards, including military standards, have procedures for human trust designed into them in light of trust issues with automatically generated program codes. The second section on Social and Cultural Aspects contains chapters that explore and present interesting findings on Information Security Culture as a Social System, an international perspective on social aspects of information security, a case study to elaborate and highlight human and social issues in information security, Effects of digital convergence on social engineering attack channels and A Social Ontology for Integrating Security and Software Engineering. The third section on Usability Issues comprises of chapters on research on prevalent issues in the design and evaluation of consumer-configured security applications, security usability challenges for end-users, the impact of CAPTCHAs on Internet users and the various possible attacks and issues with privacy rules when modeling preferences of users in recommender systems based on collaborative filtering. The final section of the book, Organizational Aspects, investigates topics on threats, vulnerabilities and responses to them through incorporating human and social elements into their security models through An Adaptive Threat-Vulnerability Model and the Economics of Protection, issues surrounding employee surveillance and privacy protection, issues related to Aligning IT teams’ risk management to business requirements, under-acquisition of human factors in information assurance requirements elicitation and an exploratory review of effectiveness of information security policies.
OVERVIEW OF CHAPTERS IN THE BOOK
With the increasing daily reliance on electronic transactions, it is essential to have reliable security practices for individuals, businesses, and organizations to protect their information (Vu, Bhargav & Proctor, 2003; Vu, Tai, Bhargav, Schultz & Proctor, 2004). A paradigm shift is occurring as researchers are targeting social and human dimensions of information security as this aspect is seen as an area where control can be exercised. Computer security is largely dependent on the use of passwords to authenticate users of technology. In light of significance of authentication issues, Dr. Deborah Sater Carstens of Florida Institute of Technology, USA, in her chapter (Chapter 1), “Human and Social Aspects of Password Authentication”, provides a background on password authentication and information security, discusses security techniques, human error in information security, human memory limitations and password authentication in practice and provides a discussion on future and emerging trends in password authentication to include future research areas.
Chapter 2, “Why Humans are the Weakest Link?” introduces the concept of social psychology, and what forms of deception humans are prone to fall for. It presents a background of the area and a thorough description of the most common and important influence techniques. It also gives more practical examples of potential attacks, and what kind of influence techniques they use, as well as a set of recommendations on how to defend against deception and a discussion on future trends. The author, Marcus Nohlberg (University of Skövde, Sweden), hopes that the understanding of why and how the deceptive techniques work will give the reader new insights into information security in general, and deception in particular. This insight can be used to improve training, to discover influence earlier, or even to gain new powers of influence.
Chapter 3, “Impact of the Human Element on Information Security” ,discusses the impact of the human element in information security. We are in the third generation of information security evolution, having evolved from a focus on technical, to process based to the current focus on the human element. Using case studies, the authors, Mahi Dontamsetti of M3 Security, USA and Anup Narayanan of First Legion Consulting, USA, detail how existing technical and process based controls are circumvented by focusing on weaknesses in human behavior. Factors that affect why individuals behave in a certain way while making security decisions are discussed. A psychology framework called the conscious competence model is introduced. Using this model typical individual security behavior is broken down into four quadrants using the individuals’ consciousness and competence. The authors explain how the model can be used by individuals to recognize their security competency level and detail steps for learning more effective behavior. Shortfalls of existing training methods are highlighted and new strategies for increasing information security competence are presented.
The goal of chapter 4, “The weakest link: A psychological perspective on why users make poor security decisions” is to raise awareness of cognitive and human factors issues that influence user behaviour when interacting with systems and making decisions with security consequences. This chapter is organized around case studies of computer security incidents and known threats. For each case study, the authors, Ryan West, Dell Inc., USA, Dr. Christopher B. Mayhorn, North Carolina State University, USA, Dr. Jefferson B. Hardee, North Carolina State University, USA and Dr. Jeremy Mendel, Clemson University, USA, provide an analysis of the human factors involved based on a system model approach composed of three parts: the user, the technology, and the environment. Each analysis discusses how the user interacted with the technology within the context of the environment to actively contribute to the incident. Using this approach, the authors, introduce key concepts from human factors research and discuss them within the context of computer security. With a fundamental understanding of the causes that lead users to make poor security decisions and take risky actions, the authors hope designers of security systems are better equipped to mitigate those risks.
Chapter 5, “Trusting Computers Through Trusting Humans: Software Verification in a Saftey-Critical Information System”, considers the question of how we may trust automatically generated program code. The code walkthroughs and inspections of software engineering mimic the ways that mathematicians go about assuring themselves that a mathematical proof is true. Mathematicians have difficulty accepting a computer generated proof because they cannot go through the social processes of trusting its construction. Similarly, those involved in accepting a proof of a computer system or computer generated code cannot go through their traditional processes of trust. The process of software verification is bound up in software quality assurance procedures, which are themselves subject to commercial pressures. Quality standards, including military standards, have procedures for human trust designed into them. Dr. Alison Adam of University of Salford, UK and Dr. Paul Spedding, Paul of University of Salford, UK present an action research case study of an avionics system within a military aircraft company that illustrates these points, where the software quality assurance (SQA) procedures were incommensurable with the use of automatically generated code.
The purpose of chapter 6, “Information Security Culture as a Social System: Some Notes of Information Availability and Sharing” is to increase understanding of the complex nature of information security culture in a networked working environment. Viewpoint is comprehensive information exchange in a social system. The aim of this chapter is to raise discussion about information security culture development challenges when acting in a multicultural environment. The authors, Dr. Rauno Kuusisto, Turku School of Economics, Finland and Dr. Tuija Kuusisto, Finnish National Defense University, Finland give some notes to gain understanding, what might be behind this complexity. Understanding the nature of this complex cultural environment is essential to form evolving and proactive security practices. Direct answers to formulate practices are not offered in this chapter, but certain general phenomena of the activity of a social system are pointed out. This will help readers to apply these ideas to their own solutions.
In Chapter 7, “Social Aspects of Information Security: An International Perspective”, authors, Dr. Paul Drake and Dr. Steve Clarke of University of Hull, UK, look at Information Security as a primarily technological domain, and ask what could be added to our understanding if both technology and human activity were seen to be of equal importance. The aim of the chapter is to ground the domain both theoretically and practically from a technological and social standpoint. The solution to this dilemma is seen to be located in social theory, various aspects of which deal with both human and technical issues, but do so from the perspective of those involved in the system of concern. The chapter concludes by offering a model for evaluating Information Security from a social theoretical perspective, and guidelines for implementing the findings.
Chapter 8, Social and Human Elements of Information Security: A Case Study”, attempts to understand the human and social factors in information security by bringing together three different universes of discourse – philosophy, human behavior and cognitive science. When these elements are combined they unravel a new approach to the design, implementation and operation of secure information systems. A case study of the design of a technological solution to the problem of extension of banking services to remote rural regions is presented and elaborated to highlight human and social issues in information security. The author, Dr. Mahil Carr, Institute for Development and Research in Banking Technology, India, in the chapter has also identified and examined the concept of the ‘Other’ in information security literature. The final objective is to prevent the ‘Other’ from emerging and damaging secure systems rather than introducing complex lock and key controls.
Social engineering refers to the practice of manipulating people to divulge confidential information that can then be used to compromise an information system. In many cases, people, not technology, form the weakest link in the security of an information system. In Chapter 9, “Effects of digital convergence on social engineering attack channels”, the authors, Dr. Bogdan Hoanca and Dr. Kenrick Mock of University of Alaska Anchorage, USA, discuss the problem of social engineering and then examine new social engineering threats that arise as voice, data, and video networks converge. In particular, converged networks give the social engineer multiple channels of attack to influence a user and compromise a system. On the other hand, these networks also support new tools that can help combat social engineering. However, no tool can substitute for educational efforts that make users aware of the problem of social engineering and policies that must be followed to prevent social engineering from occurring.
As software becomes more and more entrenched in everyday life in today’s society, security looms large as an unsolved problem. Despite advances in security mechanisms and technologies, most software systems in the world remain precarious and vulnerable. There is now widespread recognition that security cannot be achieved by technology alone. All software systems are ultimately embedded in some human social environment. The effectiveness of the system depends very much on the forces in that environment. Yet there are few systematic techniques for treating the social context of security together with technical system design in an integral way. In chapter 10, “A Social Ontology for Integrating Security and Software Engineering” , the authors, Dr. E. Yu and Dr. J. Mylopoulos of University of Toronto, Canada and Dr. L. Liu of Tsinghua University, China, argue that a social ontology at the core of a requirements engineering process can be the basis for integrating security into a requirements driven software engineering process. Authors describe the i* agent-oriented modeling framework and show how it can be used to model and reason about security concerns and responses. A smart card example is used to illustrate. Future directions for a social paradigm for security and software engineering are discussed.
End users often find that security configuration interfaces are difficult to use. In Chapter 11, “Security Configuration for Non-experts: A Case Study in Wireless Network Configuration, Cynthia Kuo and Dr. Adrian Perrig of Carnegie Mellon University and Jesse Walker of Intel Corporation, USA explore how application designers can improve the design and evaluation of security configuration interfaces. The authors use IEEE 802.11 network configuration as a case study. First, the authors design and implement a configuration interface that guides users through secure network configuration. The key insight is that users have a difficult time translating their security goals into specific feature configurations. Our interface automates the translation from users' high-level goals to low-level feature configurations. Second, the authors develop and conduct a user study to compare our interface design with commercially available products. The authors adapt existing user research methods to sidestep common difficulties in evaluating security applications. Using authors’ configuration interface, non-expert users are able to secure their networks as well as expert users. In general, the research addresses prevalent issues in the design and evaluation of consumer-configured security applications.
Chapter 12, “Security usability challenges for end-users”, highlights the need for security solutions to be usable by their target audience, and examines the problems that can be faced when attempting to understand and use security features in typical applications. Challenges may arise from system-initiated events, as well as in relation to security tasks that users wish to perform for themselves, and can occur for a variety of reasons. This is illustrated by examining problems that arise as a result of reliance upon technical terminology, unclear or confusing functionality, lack of visible status and informative feedback to users, forcing users to make uninformed decision, and a lack of integration amongst the different elements of security software themselves. Dr. Steven M. Furnell of Univerity of Plymouth, UK discusses a number of practical examples from popular applications, as well as results from survey and user trial activities that were conducted in order to assess the potential problems at first hand. The findings are used as the basis for recommending a series of top-level guidelines that may be used to improve the situation, and these are used as the basis assessing further examples of existing software to determine the degree of compliance.
Internet has established firm deep roots in our day-to-day life. It has brought many revolutionary changes in the way we do things. One important consequence has been the way it has replaced human-to-human contact. This has also presented a new issue, which is the requirement for differentiating between real humans and automated programs on the Internet. Such automated programs are usually written with a malicious intent. CAPTCHAs play an important role in solving this problem by presenting users with tests that only humans can solve. The chapter 13, “CAPTCHAs - Differentiating between Human and Bots” looks into the need, the history and the different kinds of CAPTCHAs that researchers have come up with to deal with the security implications of automated bots pretending to be humans. Various schemes are compared and contrasted with each other, the impact of CAPTCHAs on Internet users is discussed and to conclude, the various possible attacks are discussed. The author, Dr. Deapesh Misra of Verisign, USA, hopes that the chapter will not only introduce this interesting field to the reader in its entirety, but also simulate thought on new schemes.
Chapter 14, “Privacy Concerns when Modeling Users in Collaborative Filtering Recommender Systems” investigates ways to deal with privacy rules when modeling preferences of users in recommender systems based on collaborative filtering. It argues that it is possible to find a good compromise between quality of predictions and protection of personal data. Thus, it proposes a methodology that fulfills with strictest privacy laws for both centralized and distributed architectures. The authors, Dr. Sylvain Castagnos and Dr. Anne BOYER of LORIA – Université Nancy 2, Campus Scientifique, France, hope that their attempts to provide an unified vision of privacy rules through the related works and a generic privacy-enhancing procedure will help researchers and practitioners to better take into account the ethical and juridical constraints as regards privacy protection when designing information systems.
Traditionally, the views of security professionals regarding responses to threats and the management of vulnerabilities have been biased towards technology and operational risks. The purpose of this chapter is to extend the legacy threat-vulnerability model to incorporate human and social factors. This is achieved by presenting the dynamics of threats and vulnerabilities in the human and social context. Dr. Warren Axelrod of US Trust, USA, in his chapter (Chapter 15), “An Adaptive Threat-Vulnerability Model and the Economics of Protection” examine costs and benefits as they relate to threats, exploits, vulnerabilities, defense measures, incidents and recovery and restoration. The author also compare the technical and human/social aspects of each of these areas. The author then look at future work and how trends are pushing against prior formulations and forcing new thinking on the technical, operational risk, and human/social aspects. The reader will gain a broader view of threats, vulnerabilities and responses to them through incorporating human and social elements into their security models.
Chapter 16, “Bridging the gap between employee surveillance and privacy protection” addresses the issue of electronic workplace monitoring and its implications for employees’ privacy. Organizations increasingly use a variety of electronic surveillance methods to mitigate threats to their information systems. Monitoring technology spans different aspects of organizational life, including communications, desktop and physical monitoring, collecting employees’ personal data and locating employees through active badges. The application of these technologies raises privacy protection concerns. Throughout this chapter, Dr. Lilian Mitrou and Dr. Maria Karyda of University of the Aegean, Greece, describe different approaches to privacy protection followed by different jurisdictions. The authors also highlight privacy issues with regard to new trends and practices, such as tele-working and use of RFID technology for identifying the location of employees. Emphasis is also placed on the reorganization of work facilitated by Information Technology, since frontiers between the private and the public sphere are becoming blurred. The aim of this chapter is twofold: it discusses privacy concerns and the implications of implementing employee surveillance technologies and suggests a framework of fair practices which can be used for bridging the gap between the need to provide adequate protection for information systems, while preserving employees’ rights to privacy.
Achieving alignment of risk perception, assessment, and tolerance among and between management teams within an organisation is an important foundation upon which an effective enterprise information security management strategy can be built. Authors of chapter 17, “Aligning IT teams’ risk management to business requirements”, Dr. Corey Hirsch of LeCroy Corporation, USA and Dr. Jean-Noel Ezingeard of Kingston University, UK, argue the importance of such alignment based on information security and risk assessment literature. Too often lack of alignment dampens clean execution of strategy, eroding support during development and implementation of information security programs. Authors argue that alignment can be achieved by developing an understanding of enterprise risk management plans and actions, risk perceptions and risk culture. This is done by examining context, context and process. Authors illustrate this through the case of LeCroy Corp. on how LeCroy managers perceive risk in practice, and how LeCroy fosters alignment in risk perception and execution of risk management strategy as part of an overall information security program. They show that in some circumstances diversity of risk tolerance profiles aide a management teams' function. In other circumstances, variances lead to dysfunction. Authors have uncovered and quantified nonlinearities and special cases in LeCroy executive management's risk tolerance profiles.
Information security is becoming increasingly important and more complex as organizations are increasingly adopting electronic channels for managing and conducting business. However, state-of-the-art systems design methods have ignored several aspects of security that arise from human involvement or due to human factors. Manish Gupta, Dr. Raj Sharman and Dr. Lawrence Sanders aim to highlight issues arising from coalescence of fields of systems requirements elicitation, information security and human factors in their chapter 18, “Systems Security Requirements Elicitation: An Agenda for Acquisition of Human Factors” . The objective of the chapter is to investigate and suggest an agenda for state of human factors in information assurance requirements elicitation from perspectives of both organizations and researchers. Much research has been done in the area of requirements elicitation, both systems and security, but, invariably, human factors are not been taken into account during information assurance requirements elicitation. The chapter aims to find clues and insights into acquisition behavior of human factors in information assurance requirements elicitation and to illustrate current state of affairs in information assurance and requirements elicitation and why inclusion of human factors is required.
Information is a critical corporate asset that has become increasingly vulnerable to attacks from viruses, hackers, criminals, and human error. Consequently, organizations have to prioritize the security of their computer systems in order to ensure that their information assets retain their accuracy, confidentiality, and availability. While the importance of the information security policy (InSPy) in ensuring the security of information is acknowledged widely, to date there has been little empirical analysis of its impact or effectiveness in this role. To help fill this gap, chapter 19, “Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis” , presents an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end, authors, Dr. N.F. Doherty and Dr. H. Fulford of Loughborough University, UK, designed, validated, and then targeted a questionnaire at IT managers within large organizations in the UK. The findings presented in this paper are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The chapter concludes by exploring the possible interpretations of this unexpected finding and its implications for the practice of information security management.
The book is aimed towards primary audience of professionals, scholars, researchers and academicians working in the field of fast evolving and growing field of information security. Practitioners and managers working in information technology or information security area across all industries would vastly improve their knowledge and understanding of critical human and social aspects of information security.