Effective Communication of Cyber Security Risks: Addressing the Human Element in Security Jason R.C. Nurse (PhD, MSc, BSc) Cyber Security Centre, Department.

Slides:



Advertisements
Similar presentations
Andrew Jermond, Business Analyst Tony Sammons, Client Relationship Manager TOP 5 MLE Issues NPIA, Ryton 16 th January,
Advertisements

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Applying Psychology to Teaching
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Multimedia Communications Tejinder Judge Usable Security – CS 6204 – Fall, 2009.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
02/12/00 E-Business Architecture
Requirements Analysis 8. 1 Storyboarding b508.ppt © Copyright De Montfort University 2000 All Rights Reserved INFO2005 Requirements Analysis Human.
05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
Inspection Methods. Inspection methods Heuristic evaluation Guidelines review Consistency inspections Standards inspections Features inspection Cognitive.
Heuristic Evaluation IS 485, Professor Matt Thatcher.
Security Models for Trusting Network Appliances From : IEEE ( 2002 ) Author : Colin English, Paddy Nixon Sotirios Terzis, Andrew McGettrick Helen Lowe.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice
10.5 Report Performance The process of collecting and distributing performance information, including status reports, progress measurements and forecasts.
Social Networking in Education Presented by Justin R. Clark.
Graduate Programs in Computer Science Design of cyber security awareness game utilizing a social media framework WA Labuschagne.
A First Course in Information Security
Interaction Media & Communication, Department of Computer Science, Queen Mary University of London THE INFLUENCE.
BUSINESS B1 Information Security.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
Chapter 13 COMMUNICATION. CHAPTER 13 Communication Copyright © 2002 Prentice-Hall Communication The sharing of information between two or more individuals.
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
Chapter 2 Web Site Design Principles
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008.
Development and application of guidance documents – industry view Dr Martin Schaefer ECCA-ECPA Conference March 2014.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.
CHILD FOCUS Belgian Safer Internet Centre How to raise awareness among children, young people and their educators? Example of practice Nadège BASTIENEN.
BUSINESS INFORMATICS descriptors presentation Vladimir Radevski, PhD Associated Professor Faculty of Contemporary Sciences and Technologies (CST) Linkoping.
Usability Evaluation June 8, Why do we need to do usability evaluation?
A National approach to Cyber security/CIIP: Raising awareness.
©2010 John Wiley and Sons Chapter 6 Research Methods in Human-Computer Interaction Chapter 6- Diaries.
1 Interaction between SAIs and PACs. Presentation to SADCOPAC.
IS Network and Telecommunications Risks Chapter Six.
Software Architecture
A Data-Reachability Model for Elucidating Privacy and Security Risks Related to the Use of Online Social Networks S. Creese, M. Goldsmith, J. Nurse, E.
Panther Forum Activity Week 9. Things to remember when you are using social media to communicate with others.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
© 2008 Pearson Education, Inc., publishing as Longman Publishers. 1 Chapter 22 Instructions and Procedures Technical Communication, 11 th Edition John.
TDEC-NUATRC Workshop Strategic Risk Communication: Air Toxics Rebecca Parkin, PhD, MPH The George Washington University Washington, DC October 18, 2005.
Social Networking Presentation to Department Heads January 21, 2010.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
IAEA International Atomic Energy Agency EPR-Public Communications L-07 Emergency Communications.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,
CI R1 LCO Review Panel Preliminary Report. General Comments –Provide clear definition of the goals of the phase (e.g. inception), the scope, etc. in order.
SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.
Blogs How to use the bog safely and secure? Create new username. Create a strong password to your account. Create the password to your uploaded files.
Patricia Alafaireet Patricia E. Alafaireet, PhD Director of Applied Health Informatics University of Missouri-School of Medicine Department of Health.
Design Evaluation Overview Introduction Model for Interface Design Evaluation Types of Evaluation –Conceptual Design –Usability –Learning Outcome.
6. (supplemental) User Interface Design. User Interface Design System users often judge a system by its interface rather than its functionality A poorly.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Horizon 2020 Secure Societies European Info Day and Brokerage Event
Human Computer Interaction Lecture 15 Usability Evaluation
1st International Online BioMedical Conference (IOBMC 2015)
Figure 3: TSN Analysis Methodology
Trends in my profession, Information Technology
Xiaohong (Dorothy) Yuan North Carolina A&T State University 11/16/2017
Cyber Security coordination in Europe CERT-EU’s perspective
Preceptorship in NW NHS Trusts
Risk of the Internet At Home
SY DE 542 User Testing March 7, 2005 R. Chow
Conduction of a simulation considering cascading effects
Access Control and Site Security
Presentation transcript:

Effective Communication of Cyber Security Risks: Addressing the Human Element in Security Jason R.C. Nurse (PhD, MSc, BSc) Cyber Security Centre, Department of Computer Science University of Oxford, UK 7th International Scientific Conference Security and Protection of Information 22–24 May 2013 Trade Fairs Brno, Czech Republic

Open Day: 5 May 2012 Outline Why focus on humans and not technology? Addressing the human-related issues Recommendations for communicating risks Next steps… 1

Open Day: 5 May 2012 Outline Why focus on humans and not technology? Addressing the human-related issues Recommendations for communicating risks Next steps… 2

Open Day: 5 May 2012 Why focus on the human element? Increase in attacks that exploit humans  Spamming  Phishing, spear phishing  Social-engineering threats  Malicious applications 3

Open Day: 5 May 2012 Why focus on the human element? End-user systems tend not to design for usable security  “Why Johnny can’t encrypt?” (1999)  “It’s too complicated so I turned it off!” (2010)  Countless other system examples…  Configuring home routers and firewalls  Forced to using complex passwords, that are to be changed monthly 4

Open Day: 5 May 2012 Why focus on the human element? Usability also important for security professionals  Task workload, time factors and increasing complexity of security systems 5 Sax2 Intrusion Prevention and Intrusion Detection System screenshots of event viewers, typical interaction screens (

Open Day: 5 May 2012 Why focus on the human element? In summary, the problems…  For end-users, security is usually a secondary goal  Interfaces tend to be too confusing and clumsy  Lack of quality feedback to users when performing security tasks  Strain on users to remember several security settings, configurations / passwords  Abundance of technical terminology  Forcing uninformed security decisions on users  For security professionals, interfaces are difficult to use  Task workload and increasing complexity of security systems 6

Open Day: 5 May 2012 Outline Why focus on humans and not technology? Addressing the human-related issues Recommendations for communicating risks Next steps… 7

Open Day: 5 May 2012 Addressing the human element in security Three-pronged approach  How to building trust in interfaces and information?  What are the key practices in designing for usable security?  How to effectively communicate cybersecurity risks to end-users and security professionals? 8 Trust Usability Cybersecurity risk communication

Open Day: 5 May 2012 Addressing the human element in security 9 Trust Usability Cybersecurity risk communication Key factors: Interface and information presentation, relevance, supporting understanding, … Inspiration from risk communication field – importance of format in presenting risk message, understanding user perceptions Efficient interface design, support user decision-making, reduce use of technical jargon and always provide help functionality, …

Open Day: 5 May 2012 Outline Why focus on humans and not technology? Addressing the human-related issues Recommendations for communicating risks Next steps… 10

Open Day: 5 May 2012 Recommendations for communicating risks  Planning how cybersecurity risks will be communicated is crucial. Be clear on the goal, messages and strategies most useful, and characteristics of typical system users  The meaning of information presented in security / risk messages should be clear. Information should be specific and unambiguous, or risks being disregarded  Users should be presented with clear and consistent directions for action i.e., options for responding to a security risk. Narratives might be provided in helping users to visualise outcome of decisions 11

Open Day: 5 May 2012 Recommendations for communicating risks  Design with the understanding that humans possess a limited processing capacity. Reduce cognitive effort. E.g., present key security / risk information first, optional details later  Make security functionality visible and accessible, while also making users aware of the system’s current security state.  Provide accessible help, advice and documentation for security. 12

Open Day: 5 May 2012 Recommendations for communicating risks  For visual communication of security risks, note (i) stick with established colours and use known real-world metaphors (ii) no single visual will be perfect in all situations, etc.  To communicate risks numerically, note, users with high-numeracy levels are likely to pay more attention to risk figures, while low- numerate users may rely more on emotions, mood states and guidance  When communicating risks verbally, may be best to use additional means (e.g., numbers) to adequately communicate the risk. “This site is likely to be malicious” – interpretation of likely is subjective 13 Enterasys Dragon: Intrusion Prevention System Log Analysis (

Open Day: 5 May 2012 Outline Why focus on humans and not technology? Addressing the human-related issues Recommendations for communicating risks Next steps… 14

Open Day: 5 May 2012 What’s next? Evaluating recommendations  Identification of case scenarios where recommendations can be adequately assessed  Development of a prototype system and/or add-on functionality (to existing system, e.g., browser) in line which scenarios to supply practical basis for analysis  User studies to critically evaluate the trustworthiness and effectiveness of communications with and without recommendations proposed 15

Open Day: 5 May 2012 What’s next?  Crisis Management – Realising value from open-source information (e.g., Twitter, Facebook, Blogs) “Building Confidence in Information-Trustworthiness Metrics for Decision Support”, TrustCom “A Data-Reachability Model for Elucidating Privacy and Security Risks Related to the Use of Online Social Networks”, TrustCom 2012 Published research Approach and model Real name Risk exposure  Security and Privacy risks in the use of social media – understanding and communicating the serious risk faced by oversharing 2

Open Day: 5 May 2012 What’s next? 17 CyberVis – Visualise attacks on business processes Circos – Inappropriate content visualisation 4 MeerCAT® – Visual tool for Wireless Security Analysis 3 NFlowVis – University's Computer Network Under Attack 2

Open Day: 5 May 2012 Conclusions 18  Reflected on why it’s important to focus on the human element of security  Three-pronged approach to addressing the issues  Recommendations for effectively communicating cybersecurity risk  Next steps for our work

Open Day: 5 May 2012 Thanks! Any questions? 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.