To develop computer security as a science and engineering discipline, metrics need to be defined to evaluate the safety and security of alternative system designs. Security policies are often specified by large organizations but there are no direct means to evaluate how well these policies are followed by human users. The proposed project explores fundamental means of measuring the security posture of large enterprises. Risk management and risk mitigation requires measurement to assess alternative outcomes in any decision process. The project is intended to devise metrics and measurement methods, and test and evaluate these in a real institution, to evaluate how human users behave in a security context. Financial institutions in particular require significant controls over the handling of confidential financial information and employees must adhere to these policies to protect assets, which are subject to continual adversarial attack by thieves and fraudsters. Hence, financial institutions are the primary focus of the measurement work. The technical means of measuring user actions that may violate security policy is performed in a non-intrusive manner. The measurement system uses specially crafted decoy documents and email messages that signal when they have been opened or copied by a user in violation of policy. The project will develop collaborations with financial experts to devise risk models associated with users of information technology within large enterprises. This line of work extends traditional research in computer security by opening up a new area focused on the human aspect of security.
