ABSTRACT. Various factors influence user's behaviour and interactions with technology. This means security has a socio-technical element, that continues to present a challenge in research and attempts to improve security behaviour. Users may not be the enemy but their (un)intentional (mis)use of technology is certainly part of the problem in security. To solve this problem, we must do more than simply pay lip service to the need to address the human element; we need to systematically explore the environmental, social and personal influencers of behaviour within the context of cybersecurity. Those who seek to ensure cybersecurity must learn to utilise such influencers as efficiently as those who seek to exploit them. Awareness training is touted as the solution, awareness may be necessary but it is seldom sufficient. Psychological research and organisational reports suggest that increased user awareness alone is insufficient when it comes to changing actual behaviour. This may make users' behaviours seem irrational, but they are understandable if you appreciate the cognitive biases people are prone to and the heuristics they use when the time, effort and knowledge required to follow a "rational" decision making process outweighs the benefits perceived by the user. This talk provides a short overview of the issues worthy of exploration in security research and suggests several strategies on how to tackle the security awareness - behaviour divide.

ABSTRACT. As wireless networking increases, so do the risks associated with the use of such technology. We examined the role of wireless network display and choice presentation in a study involving 104 undergraduate social science students. One research goal was to examine to what extent different features (such as padlocks) and labels in different colours could be used to ‘nudge’ individuals towards more secure and away from open (unsecured) network options. Another goal was to better understand the basis for decision-making. Based on qualitative as well as quantitative data about participants’ rationales for selecting specific network options, we were able to differentiate groups whose decision were driven by security concerns, those who made convenience-based decisions, and those whose motives were unclear or undefined. These decision justifications were associated with different network choices. The results suggest that the padlock takes different functions and meanings for the three groups which can help to better understand their security-related decision making. We further observed significant effects for the use of colour when nudging participants towards more secure choices. We also wanted to examine the role of individual differences in relation to the choices individuals make. Perceived vulnerability and controllability of risk played a role in terms of the extent to which participants would more secure vs. unsecure choices, although we obtained no significant group differences when we examined these variables in relation to the different decision justification groups. This indicates that perceived risk perceptions and reasons for decisions may relate differently to the actual behavioural choices individuals make, with perceptions of risk not necessarily relating to the reasons that participants consider when making security decisions.

ABSTRACT. An enterprise's information security policy is an exceptionally important control as it provides the employees of an organisation with details of what is expected of them, and what they can expect from the organisation's security teams, as well as informing the culture within that organisation. The threat from accidental insiders is a reality across all enterprises, and can be extremely damaging to the systems, data and reputation of an organisation. Recent industry reports, and academic literature underline the fact that the risk of accidental insider compromise is potentially more pressing than that posed by a malicious insider. In this paper we focus on the ability of enterprises' information security policies to mitigate against the accidental insider threat. Specifically we perform an analysis of real-world cases of accidental insider threat to define the key reasons, actions and impacts of these events - captured as a grounded insider threat classification scheme. This scheme is then used to perform a review of a set of organisational security policies to highlight their strengths and weaknesses when considering the prevention of incidents of accidental insider compromise. We present a set of questions that can be used to analyse an existing security policy to help control the risk of the accidental insider threat.

ABSTRACT. User constrained devices such as smart cards are commonly used in human-protocol interaction. Modelling these devices as part of human-protocol interaction is still an open problem. Examining the interaction of these devices as part of security ceremonies offers greater insight. This paper highlights two such cases: modelling extra channels between humans and devices in the ceremony, and modelling possession when the device also acts as an agent in the ceremony. Case studies where such devices are used during authentication ceremonies are presented to demonstrate these use cases.

ABSTRACT. We explore ICT security in a socio-technical world and focus in particular on the susceptibility to social engineering attacks. We pursue the question if and how personality traits influence this susceptibility. We use Cialdini's principles of influence to categorise social engineering attacks. With a comprehensive literature review we first show how existent research approaches social engineering susceptibility.

Based on this review we construct suggestions for plausible relations between personality traits of the Five-Factor Model (Big 5) and the principles of influence. We propose our – at this stage theory-based – "Social Engineering Personality Framework" (SEPF) which we will evaluate in future empiric research. The characteristics of victims' personality traits in the SEPF will support and guide security researchers and practitioners in developing detection, mitigation, and prevention strategies while dealing with human factors in social engineering attacks.

ABSTRACT. In this paper, we approach the problem of modeling the human component in technical systems with a view on the difference between the use of model and theory in sociology and computer science. One aim of this essay is to show that building of theories and models for sociology can be compared and implemented in Higher Order Logic. We validate this working hypothesis by revisiting Weber's understanding explanation. We focus on constructive realism in the context of logical explanation. We review Higher Order Logic (HOL) as a foundation for computer science and summarize its use of theories relating it to the sociological process of logical explanation. As a case study on modeling human behaviour, we present the modeling and analysis of insider threats as a Higher Order Logic theory in Isabelle/HOL. We show how each of the three step process of sociological explanation can be seen in our modeling of insider's state, its context within an organisation and the effects on security as outcomes of a theorem proving analysis.

ABSTRACT. One problem with most currently used transaction authentication methods is that they depend on the customer's computer for integrity of the information flow between customer and bank. This allows man-in-the-middle attacks to be conducted using malware for financial fraud. Some banks are implementing new authentication methods that allow customers to verify transactions received by a bank without depending on the customer's computer to provide information integrity. These new methods are more complex compared to traditional authentication methods and need the customer's attention to be effective, since it is up to the customer to verify the information that was received by his or her bank. By examining the intrinsic problems of traditional and new transaction authentication methods as used by banks, we designed an alternative authentication method named 'Entered Single Transaction Authentication'. Our method ensures that the bank receives information as the customer entered it without requiring further verification by the customer. We introduce the concept 'What You Enter Is What You Sign', which ensures the digital integrity of information as soon as it is entered. Our proposal is theoretical and high-level, but opens the way for secure transaction authentication methods that rely less on the authenticating party to provide correct information, thereby reducing errors and improving user friendliness.

ABSTRACT. The Android OS has a permission-based security system that controls the third party applications’ access to sensitive information on the smartphone. The risk evaluation is left to the user who has to evaluate whether or not the requested permissions are appropriate. However, former work has shown that users lack attention to and understanding of the permissions which makes it difficult for them to make appropriate decisions. To support users with better understandable information we provide statistical information about permissions, grouped by functionality. We use methods from health risk communication to communicate this information to the users. In a lab experiment with 48 participants we find that users tend to choose more often the app with a lower number of permissions when statistical information is provided together with graphics. We also find that the privacy-intrusiveness and trustworthiness of apps is perceived differently when statistical information is given.