In all organisations, including Universities, tools and processes implemented for ensuring cybersecurity are often designed in a top-down, corporate-centred perspective (as opposed to being user-centred). Often, that drives the users to find workarounds allowing them to be effective despite (not because) the tools and the processes they are obliged to work with. It has been often reported that one of the main issues in cybersecurity is the inefficacy of complex tools, guidelines, best practices, and software applications that decrease system¿s usability and increase the user workload. However, the security/usability tradeoff cannot be avoided and this proposal is based on the general idea that the tradeoff itself can be exploited for devising design strategies aimed at improving security.
This project is aimed at creating a behavioural-based security system implementing a reward strategy (gamification) to test security behaviours in an academic environment. Participants will be required to perform mundane tasks (e.g. sending and receiving emails, navigating the Internet, or writing and sending documents) using the platform. Both laboratory and remote research activity will be carried out for reaching the project goals.
A cursory review of the cybersecurity literature allowed to identify some breaches that could be implemented in our studies, such as phishing attack to investigate if the social context affected students behaviour (Jagatic, Johnson, Jakobsson and Menczer, 2007), emails including attachments, embedded URLs, and forms to obtain user credentials (Bowen, Devarajan & Stolfo, 2011), request to disclose private information and a request to run an executable file (Steyn, Kruger & Drevin, 2007). Implementing those threats into the platform represents a crucial task in this project and a strong element for aligning the experimentation to real-world situations.
The protocol devised in this proposal provides a perspective that is currently under-represented or neglected in the literature. The efficacy of the reward/punishment protocol in promoting the participants¿ security behaviours will be evaluated considering the number of secure behaviours and the participants¿ timing to select the correct behaviour as a function of the cumulative time spent on the platform. The specific advantage of one of the two types of reward schedule will be also assessed by comparing the frequency and timing of the correct behaviours obtained under the usability schedule and the social schedule. An objective measure, participants¿ exploratory eye-movements (fixations count and duration over the region of interest designed around the alerts) will be analysed before and after the one-month testing period to evaluate participants¿ changes in oculomotor behaviour in response to the experimental procedure and if these changes are predictive of safer behaviours. Moreover, in order to predict individual differences in the use of the platform a model based on commonality analysis will be applied to the self-reported data (i.e., questionnaires). This analysis enables to partition the total variance into the variance unique to each variable and the variance shared by different independent variables. A model will be created to predict the secure behaviours (frequency and timing of participants responses) in a rewarding environment.
The results of this study and the developed tools constitute an innovative approach applied to an issue with a broad impact. In all organisations, including Universities, tools and processes implemented for ensuring cybersecurity are often designed in a top-down, corporate-centred perspective (as opposed to being user-centred). Often, that drives the users to find workarounds allowing them to be effective despite (not because) the tools and the processes they are obliged to work with. For example, enforcing the use of strong and difficult to remember passwords may lead to writing the down a post-it note with the password and sticking it to the computer display. That is exactly what a user is not supposed to do, but guidelines ¿supposing¿ how a person should behave are only prescriptive in nature, and do not take in consideration how people actually interact with technology for accomplishing a task. Secure behaviours are therefore considered secondary respect to the primary tasks users are carrying out, and they are often seen as an impediment to their work. In the present project we want 1) to test the hypothesis that a performance-related system based on a reinforcement schedule can partly solve the problem by increasing users awareness and the number of safe behaviours, and 2) to identifying the type of person who is more likely to make poor security decisions. These aims lead 3) to devise a framework based on a Human-Centred Design (HCD) process, that is an ergonomic process for creating projects and products that are aligned with the psycho-physical characteristics of the users and able to satisfying their needs. The HCD process is aimed at increasing the perceived quality of the interaction and the overall efficiency of the system. The ISO 9241-210 defines the basic principles of such a process:
- The design is based upon an explicit understanding of users, tasks and environments.
- Users are involved throughout design and development.
- The design is driven and refined by user-centred evaluation.
- The process is iterative.
- The design addresses the whole user experience.
- The design team includes multidisciplinary skills and perspectives.
We live in a hyper-connected world of internet services and Internet of Things (IoT) that make individuals and organisations more productive. However, the human element is the weakest link in the security of a system and without an effective cybersecurity awareness, also the negative potential of such hyper-connection is huge. The only way to install secure behaviors into people is to design tools, protocols, and guidelines in a Human-Centred perspective, and the present proposal has the potential for providing a framework that can be handled directly to system engineers for answering their design questions.