A technique for using employee perception of security to support usability diagnostics

2015 Workshop on Socio-Technical Aspects in Security and Trust Pub Date : 2015-07-13 DOI:10.1109/STAST.2015.9

S. Parkin, Sanket Epili

{"title":"A technique for using employee perception of security to support usability diagnostics","authors":"S. Parkin, Sanket Epili","doi":"10.1109/STAST.2015.9","DOIUrl":null,"url":null,"abstract":"Problems of unusable security in organisations are widespread, yet security managers tend not to listen to employees' views on how usable or beneficial security controls are for them in their roles. Here we provide a technique to drive management of security controls using end-user perceptions of security as supporting data. Perception is structured at the point of collection using Analytic Hierarchy Process techniques, where diagnostic rules filter user responses to direct remediation activities, based on recent research in the human factors of information security. The rules can guide user engagement, and support identification of candidate controls to maintain, remove, or learn from. The methodology was incorporated into a prototype dashboard tool, and a preliminary validation conducted through a walk-through consultation with a security manager in a large organisation. It was found that user feedback and suggestions would be useful if they can be structured for review, and that categorising responses would help when revisiting security policies and identifying problem controls.","PeriodicalId":322373,"journal":{"name":"2015 Workshop on Socio-Technical Aspects in Security and Trust","volume":"7 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-07-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 Workshop on Socio-Technical Aspects in Security and Trust","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/STAST.2015.9","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Problems of unusable security in organisations are widespread, yet security managers tend not to listen to employees' views on how usable or beneficial security controls are for them in their roles. Here we provide a technique to drive management of security controls using end-user perceptions of security as supporting data. Perception is structured at the point of collection using Analytic Hierarchy Process techniques, where diagnostic rules filter user responses to direct remediation activities, based on recent research in the human factors of information security. The rules can guide user engagement, and support identification of candidate controls to maintain, remove, or learn from. The methodology was incorporated into a prototype dashboard tool, and a preliminary validation conducted through a walk-through consultation with a security manager in a large organisation. It was found that user feedback and suggestions would be useful if they can be structured for review, and that categorising responses would help when revisiting security policies and identifying problem controls.

查看原文本刊更多论文

一种利用员工对安全性的感知来支持可用性诊断的技术

组织中不可用的安全问题普遍存在，但安全管理人员往往不听取员工关于安全控制在他们的角色中如何可用或有益的观点。在这里，我们提供了一种技术，使用最终用户对安全性的感知作为支持数据来驱动安全控制的管理。感知是在收集点使用层次分析法(Analytic Hierarchy Process)技术构建的，其中诊断规则根据最近对信息安全的人为因素的研究，过滤用户对直接补救活动的响应。这些规则可以引导用户参与，并支持识别需要维护、删除或学习的候选控件。该方法被合并到一个原型仪表板工具中，并通过与大型组织中的安全经理进行全面咨询进行了初步验证。我们发现，如果用户的反馈和建议能够结构化以供审查，那么它们将是有用的，并且对响应进行分类将有助于重新审视安全策略和识别问题控制。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 Workshop on Socio-Technical Aspects in Security and Trust

自引率

0.00%

发文量