Given the diverse and complex nature of computer security, a natural response of the academic and industrial community has been to study how one can create technical solutions to the problem. Although the technical solutions to various problems can be quite effective, the underlying premise of many of the solutions is predicated upon an informed awareness of the user of the importance of avoiding risky behavior. While there has been considerable rigor undertaken with regards to the evaluation of the efficacy of the various technical approaches, the human aspect of computer security has received relatively minor attention with largely cursory / anecdotal evaluation. The unfortunate result of this lack of rigorous scientific data is the use of under-funded and ad hoc awareness security awareness initiatives that offer limited benefit to the security of the enterprise. This work will leverage the unique aspects of the university-environment to conduct a multi-scale (time, observation group, data granularity) formal set of experiments regarding the efficacy of security awareness techniques. Moreover, the inter-disciplinary effort will bring to bear the application of formal experiments to explore the usage of negative, positive, and targeted communication interventions drawn from theoretical considerations of existing criminology, psychology, and information system literature.
Stated in an alternative manner, organizations dedicate significant financial and human resources to information security awareness programs designed to raise user knowledge about safe computing practices and information security risks. Unfortunately, despite the fact that many organizations are expending significant resources on awareness, organizations have little if any guidance or scientific evidence to construct effective strategies. Should strategies focus on positive or negative strategies? Are post cards or hallway posters or training classes more effective? Are awareness campaign effects temporary or long term? The focus of this work will be to provide that rigorous scientific basis by exploring how effective awareness techniques are in the ?wild? of the university environment, unimpeded by normal network security controls. A key broader impact of the work will be the creation of basic guidelines for the construction of security awareness programs. The net result will be dramatically improved cost efficiency of security awareness techniques and hence, significant improvement in the national cyber-security infrastructure.
Cyber security has emerged as a critical issue with regards to the nation in the face of continual threats. The recent trends towards employers embracing BYOD (Bring Your Own Device) whereby sensitive information (personal or company) is contained on a mobile device (laptop, tablet, smartphone) has further heightened this need. In such cases, the typical approach is for an organization to embrace educating users under what are termed security awareness programs. Unfortunately, such programs tend to be measured not in terms of effectiveness but rather in pervasiveness, namely whether one saw the intervention (poster, e-mail) versus whether or not one changed their behavior. The focus of this effort was to accurately measure the effectiveness of such programs and the variations on messaging contained within such programs. The university environment offers an ideal environment for testing in that it captures the next generation of the domestic workforce with the potential for detailed staging and monitoring of whether or not security awareness programs actually lead to behavioral changes. This particular grant focused on a variety of security-oriented behaviors ranging in varying degrees of complexity from P2P sharing to password / screen locking to anti-virus installation to automated updates. Each particular behavior was explored through a variety of messaging techniques including negative methods (regret, deterrence), positive methods (morality, incentives, feedback), and varying message delivery mechanisms (postcards, e-mail, SMS, posters). Detailed user studies were also conducted to better understand the psychological underpinnings with respect to the impacts of personality and perceptions of risk (right or wrong). The key lessons noted from the grant efforts include that: (1) While awareness programs can shift user behavior (roughly up to 1/3 of non-compliant users), complete compliance still requires direct monitoring and enforcement. (2) Once security behaviors are established, changing of security behaviors tends to be difficult to manipulate owing in part to incorrect perceptions of risk (which is also difficult to change). (3) Deterrence-based strategies (you may lose your access if you do not comply) tend to result in faster compliance for the short-term but morality-based appeals (good students lock their screen) result in longer lasting efficacy. Incentive-based schemes though (do X and receive five dollars) tend to offer the best performance with similar results for feedback-based schemes. (4) Risk perceptions in the mobile space (smartphone, tablet) tend to vary considerably from risk perceptions in the desktop / laptop space with regards to security with considerable security implications. (5) Despite deterrence being one of the most commonly employed security strategies, user studies point that facts conveyed via deterrence-based messaging are actually less memorable explaining in part prior work with regards to the lack of efficacy for deterrence-based messaging. Morality-based messaging also has mixed results. (6) Messaging that employs feedback tends to have the best memorability closely followed by incentive-based messaging. From a broader takeaway perspective, there are several key lessons: (1) Security awareness programs can drive behavior but cannot be viewed as a substitute for enforcement and / or monitoring where sensitive information is concerned. Hence, security awareness should be viewed merely as reducing risk but such resources must be carefully weighed against emerging tools to directly enforce the desired system behavior. (2) There is considerable danger posed in the BYOD environment where user devices are introduced (laptops, smartphones, tablets). Risks are especially acute with tablets and smartphones where the risk perception varies considerably from laptops and / or desktops. (3) Positive messaging via either feedback (how many users are compliant, help us grow that number) and incentives (do this and receive Y) are more effective than negative messaging and messaging for security awareness programs should shift away from deterrence (negative) style campaigns to positive campaigns. Further broader impacts of this grant effort include the training of multiple graduate students focused on cyber security including one student in Computer Science (now working for the government), a student finishing up a Master’s degree in Psychology focused on security, and multiple undergraduate students that received training through research credit and summer research efforts.
