Dissertation/Thesis Abstract

Systemic effects of human factors in information security
by Kelley, Timothy D., Ph.D., Indiana University, 2014, 153; 3665483
Abstract (Summary)

This dissertation couples the growing corpus of human subjects and behavioral research in information security with large-scale data and robust quantitative methods. Linking human subject experimentation with theoretical models enables the information security community to reason more effectively about the system-wide effects of user behavior. I examine how users interact with the digital environment, how those interactions affect decision-making, and how aggregate decision-making affects system-wide vulnerabilities. This interdisciplinary challenge requires a combination of techniques from cognitive neuroscience, social network analysis, human-subjects research, dynamical systems, network theory, and agent-based models.

In the first section, eye-tracking data demonstrates the relationships between expertise and online perceptual awareness of security cues. Expertise is shown to be only a small factor in attention to security cues, and task-type proves to be much larger indicator of attention, with tasks requiring the use of personal accounts driving attention to cues. This section uses Bayesian ANOVA to evaluate users' perceptual awareness of security cues as they complete common online tasks, as it relates to user sophistication and task type.

The second section uses a theoretical epidemiological model of malware spread to investigate factors that might mitigate the prevalence of malware in a coupled, two-population model. This both demonstrates that cost is the largest factor for affecting malware prevalence, outside of malware infection rates, and identifies appropriate strategies for system-wide botnet mitigation.

The final section utilizes an agent-based model of mobile application adoption combined with social network data and mobile marketplace policy. The result is an examination of the dynamic effects of user and market behavior on the spread of mobile malware and the second order effects, such as privacy loss, due to that spread. This model reveals that well-regulated markets are effective at limiting malware spread, but user behavior grows in importance as markets become less restricted.

Each study examines ways in which users interact with their technology, the aggregate effects of those behaviors, and identifies possible inflection points to change system-wide behaviors. This dissertation integrates empirical behavioral studies to develop a better understanding of digital behavior, thus enabling a more holistic approach to information security.

Indexing (document details)
Advisor: Camp, Jean, Goldstone, Robert
Commitee: Flammini, Alessandro, Todd, Peter
School: Indiana University
Department: Information Science
School Location: United States -- Indiana
Source: DAI-A 76/04(E), Dissertation Abstracts International
Subjects: Cognitive psychology, Information science
Keywords: Decision making, Economics of information security, Expertise, Eye tracking, Modeling, Usable security
Publication Number: 3665483
ISBN: 9781321380538
Copyright © 2019 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy