Science of Human Circumvention of Security (SHUCS)
S.W. Smith (Dartmouth), V. Kothari (Student) with J. Blythe (USC ISI), R. Koppel (University of Pennsylvania)
- Good people circumvent security controls to do their jobs and to meet their organization’s mission.
- We can’t pretend it doesn’t happen!
- Move from fantasy-based security to evidence-based security
- Develop tools and metrics to make meaningful, quantifiable comparisons, decisions, and other evaluations of proposed solutions in light of what users do
- Interdisciplinary: computer security, AI, sociology, ethnography
Key Science Methods & Advances
- Conducted surveys to compare users’ security perceptions and behaviors to those of experts.
- Employed ethnography and interviews to document how and why users circumvent.
- Catalogued and classified mismorphisms, “mappings that fail to preserve structure.”
- Developed agent-based simulations to model security-relevant human behavior
- Conducting eye-gazing study to examine how users read and classify emails, esp., cues they use.
- Builds on our prior projects including TISH (healthcare settings) and IRIDOE (financial)
Results & Impacts
- Serves as a window into how and why users circumvent security policies, mechanisms, and advice in real-world settings.
- Suggests approaches for developing workflow-inspired security solutions tailored to organizational needs.
- Provides methods to compare and evaluate different security solutions, e.g., simulations suggest lax privacy policies provide better security than stringent ones in select settings.
- Invitational workshops on circumvention, and on insider attack
- “Best Paper” accolades from AMIA and IMIA