SBE: Small: THE NEW SECURITY CALCULUS: Incentivizing Good User Security Behavior

SBE：小：新的安全演算：激励良好的用户安全行为

• 批准号: 1618212
• 负责人: Sanjay Goel
• 金额: $ 49.79万
• 依托单位: SUNY at Albany
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-15 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1618212&HistoricalAwards=false
• 关键词: SBE; Small; NEW; SECURITY; CALCULUS

The threat and impact of cybersecurity breaches are felt throughout society with massive financial losses to businesses and breach of national secrets. Human behavior is increasing seen as a fundamental security vulnerability that is at the center of many security breaches. Several approaches have been used for improving user security behavior, including enacting information security policies, providing security awareness training, and introducing penalties for security violations; these approaches have not been very effective. In this research, we are influencing human security decision analysis through direct financial incentives and behavioral interventions such that the decision analysis aligns with economic rationality. The dominant theoretical frameworks used by researchers to improve information security are Protection Motivation Theory and Deterrence Theory. These theories suggest that users make rational security decisions by cognitively weighing the relative gains and losses associated with their choices within a decision calculus. They assume that users will respond rationally to perceived security threats in the environment and to sanctions imposed on noncompliance. Users are expected to internally regulate their behavior based on an understanding of security threats and the consequences of risky behavior; however, in the course of daily activities users often minimize the risks associated with their behavior and may rationalize noncompliant behavior by perceiving that costs of compliance outweigh benefits. We seek to improve security compliance by changing the user?s security decision calculus. Drawing on principles of behavioral economics, we use extrinsic rewards (i.e. financial incentives) to initiate compliance, and psychological manipulations (nudges) to promote ongoing internal regulation of security behavior, such that users sustain secure behaviors when external incentives are no longer in place. The multidisciplinary nature of this work enhances understanding of many information security issues and provides a fresh perspective for research on behavioral security and security economics.

整个社会都感受到了网络安全漏洞的威胁和影响，并对企业造成了巨大财务损失和违反国家秘密的损失。人类行为越来越被视为一种根本的安全脆弱性，这是许多安全漏洞的中心。已经使用了几种方法来改善用户安全行为，包括制定信息安全策略，提供安全意识培训以及引入针对安全违规行为的罚款；这些方法不是很有效。在这项研究中，我们通过直接的财务激励措施和行为干预措施来影响人类安全决策分析，以使决策分析与经济合理性保持一致。研究人员用于改善信息安全的主要理论框架是保护动机理论和威慑理论。这些理论表明，用户通过认知权衡与他们在决策计算中的选择相关的相对收益和损失来做出合理的安全决策。他们假设用户将对环境中的安全威胁以及对违规行为施加的制裁做出合理的响应。预计用户将根据对安全威胁的理解和风险行为的后果来内部规范其行为；但是，在日常活动的过程中，用户通常将与行为相关的风险最小化，并通过认为合规成本超过福利来使非规则行为合理化。我们试图通过更改用户的安全决策来提高安全性合规性。利用行为经济学的原则，我们使用外部奖励（即经济激励措施）来启动合规性和心理操纵（nudges）来促进对安全行为的持续内部调节，从而在不再存在外部激励措施时维持安全行为。这项工作的多学科性质增强了人们对许多信息安全问题的理解，并为行为安全和安全经济学的研究提供了新的观点。