570 likes | 700 Views
Module U1: Human Capability and IA. Azene Zenebe, Ph.D., and Lola Staples, M.Sc. Management of Information Systems Department Center for Business and Graduate Studies, Room 3330 14000 Jericho Park Road, Bowie, MD 20715 . Presentation Outline. Overview Introduction
E N D
Module U1:Human Capability and IA Azene Zenebe, Ph.D., and Lola Staples, M.Sc. Management of Information Systems Department Center for Business and Graduate Studies, Room 3330 14000 Jericho Park Road, Bowie, MD 20715
Presentation Outline • Overview • Introduction • Human Capability and Security • Factors for Human Capability • Models in Human Computer Interaction (HCI) • Importance to Usability of Security Systems • Human Behavior and Security • Summary • Discussion Questions
Overview • Users are not always capable of performing the right decisions regarding security. • If users have to invest too much mental effort in working out how to operate security systems, they will be less efficient and make more errors. • Human – security system interaction is a cognitive activity.
Objectives When you complete this module, you will be able to: • Describe human capability • Discuss factors that determine human capability • Describe the relationship between usability of security systems and human capability • Discuss human behavior in security systems • Determine factors affecting human behaviors in security systems • Conduct a study of user behaviors in a security system
Introduction • Users interact with computer and information security systems differently and have different behavior. • The purpose of this module is to provide definitions, background and theoretical framework for human capability and behavior in relationship to the usability of computer and information security systems.
Human Capability and Security • Humans carry out tasks in which information is created, accessed and/or manipulated. • The more complicated the interaction with the computer systems the more frustrated users become and the more distracted they are from their real tasks. • Users are not always capable of performing the right decisions regarding security.
Human Capability and Security • Several studies indicated that: • The mechanism for encryption, authorization or authentication can be difficult for people to understand or use. • People often failto recognize security risks or the information provided to alert them. • Computer interaction is a cognitive activity that involves processing of information in the mind
Human Capability and Security - What is Cognition? • What is cognition? According to the Encyclopædia Britannica’s definition, cognition includes “all processes of consciousness by which knowledge is accumulated, such as perceiving, recognizing, conceiving, and reasoning.”
Factors for Human Capacity • Key factors that affect the way users interact with computer systems are (Benyon, 1993): • our sensors • attention • memory • sensory, • short term or working and • long term • learning and • mental models
Factors - Sensors • Perception– The process of seeing an active process: • mainly visual environmental information • can be previously stored knowledge • provides a more constant view of the world • highly related to user interface with security systems • should be legible • distinguishable • comprehensible • uncluttered and meaningfully structured
Factors – Attention • Attention- Our capability to attend to a mass of information at one time • We can see, hear, and smell at one time. • We are multi-tasking • Hence few tasks or decisions receive our full attention at any given time
Factors - Memory • Memory- Our ability to store and remember. • There are three main types of meory: • sensory memory (SM) • short term or working memory (STM) • long-term memory (LTM)
Factors - Sensory-Memory (SM) • SM retains an exact copy of what is seen, heard or touched • mainly visual and auditory • SM lasts only a few seconds and has unlimited capacity
Factors-Short Term Memory(STM) • STM works like RAM memory • STM provides a working space and is vulnerable to interruption or interference • STM has the ability to retain a limited capacity of up to 7 pieces of independent information with a single aspect, i.e., actually, 7 +/- 2 “chunks.”7 is called the Millers Magic Number. • Items in STM last from 3 to 20 seconds
Factors - STM: “Chunking” • “Chunking” allows the brain to automatically group certain items together, e.g., a telephone number. • We remember phone numbers by their aspects of 2 or more groupings. • We don't really remember "seven" numbers
Factors - Long Term Memory (LTM) • LTM defined as relatively permanent storage… • information is stored by meaning and importance. • Information can be stored for extended periods of time • capacity limits are unknown • Information moves from STM to LTM
Factors - Long Term Memory • Information moves from STM to LTM by • rehearsal • practice …and • use in context. • “LTM stores interrelated networks of mental models of the world that form intricate knowledge structures.”
Factors - Long Term Memory (Con’t) • According to Clark (2004): • LTM has a strong influence on perception through top-down processing… • Our prior knowledge affects how we perceive sensory information… • Our expectations regarding a particular sensory experience influence how we interpret it….this is how we develop bias.
Factors - Learning • According to the Merriam-Webster Online Dictionary, learning is defined as “ … 2: knowledge or skill acquired by instruction or study. 3: modification of a behavioral tendency by experience (as exposure to conditioning) “ • The ability to learn is possessed by humans, animals and some machines
Factors - Mental Model (MM) (Norman, 1988). • MM is a set of beliefs about how a system works. • Users interact with systems based on their MM. • Some properties of MM: • Enable users to understand the working of a security system. • Can be built-on-the-fly from knowledge of prior system experience, training, and interaction • Is unstable and subject to change • Contains minimal information
Factors -Human Processors (HP) • Information processing in HP involves (Card, Moran & Newell,1983): • Encoding the information into some form of internal representation • This is related to perception • Comparing this representation with previously stored representations in the brain • this is related to attention and memory • Deciding on appropriate responses; and • Organizing a response and necessary action
The Information Processing Model • Figure 1. The Information Processing Model (Clark, 2004; used with permission). • http://www.nwlink.com/~donclark/hrd/learning/memory.html
Models of Human Performance Models of Human Performance • A simple model of human cognition is empirically developed by Card, Moran, Newell in 1983. • The components are Senses, Sensory store, Short-term memory, Long-term memory, and processors. • Processors cycle time of 50-200ms • Memories have type, capacity and decay time • See Figure for the Model Summary
Human Performance –Summary of empirical study by Card, Moran, Newell in 1983.
Importance to Usability of Security Systems • Knowledge of human capability helps: • Predict what users will remember, retain, understand and use. • Plan on how to make new security related knowledge and information retained in user’s Long Term Memory during training. • Use chunking in presentation of security information and codes such as passwords, access codes, etc. to users.
Amount of Human Effort Required – Examples PKI • Things PKI end-users have to learn(Sasse & Flechais, 2006): • How to create keys • How to import a trust anchor • How to import a certificate • How to protect private keys • How to apply for a certificate
Amount of Human Effort and Security – Examples PKI (Con't) • Things PKI end-users have to learn(Sasse & Flechais, 2006): • How to turn on digital signing • How to get and import someone’s public key • How to export a certificate
Models in Human Computer Interaction (Norman (1988), Cooper (1995) & IBM (1992) ) • Designer’s Model: The way the designer represents the application. • Programmer’s Model: The actual way that a system works from a programmer’s perspective. • User’s Mental Model • The way that the user perceives how the systems works. • User model: incorporates the cognitive and performance characteristics of a user.
Interaction-Design Model Designer’s Model, User’s Mental Model and System images Source: http://www.interaction-design.org/encyclopedia/mental_models_glossary.html)
Importance of Mental Models to Usability • For Learning & retaining systems’ operations • Correct mental models => more usable => users are effective, efficient, and satisfied • An inaccurate mental model of what is happening in a system leads to errors. • Ideally, interface and system shall be consistent with our mental models about computers, environment and everyday objects.
Quick Quiz • Why do we have difficulty in remembering some of our passwords? • Where do humans store passwords and how do we recall them? • Explain the role of STM, LTM, and Chunking while using simple and complex passwords. • What are the different tasks to be completed to use a firewall a) by end-user, b) by system administrator? • Compare and contrast user model, mental model, designer’s model and programmer model. • What is the mental model of a user about a firewall?
Human Behavior and Security –Risks • People exaggerate risks that are (Schneier, 2007 ) : • Rare • Personified • Beyond their control • Intentional or man-made • Immediate • Rapidly occurring
Human Behavior and Security – Risks (Con’t) • Users minimize their risk and tend to (West, 2008): • Not think they are at risk • Not give security their full attention • Focus on their goals, such as completing a task….e.g., completing their on-line payment • Think of security and safety as abstract concepts resulting in quick decisions without considering all the risks, consequences and options
Human Behavior and Security – Risks (Con’t) • Examples of risky behavior: • Opening a file with attachments from unknown sources where a user does have a great interest in the content of the file from its subject heading • Download and installation of an ActiveX control from an unknown source in order to view the Web page content
Human Behavior and Security - Risks (Con’t) • To improve security behavior, designers and developers of security systems can (West, 2008): • Include a means to reward pro-security behavior, i.e., notify them of unauthorized attempts to access files • Improve risk awareness using message alerts and sounds. • Catch security policy violators using auditing and monitoring techniques • Reduce the cost by making security systems easy to install, configure and use.
Quiz • What are the common attitudes of users with regard to risks associated with computer? • Discuss how users make decisions when they face security challenges.
Framework for Studying User Behavior in Security • The Social-cognitive Theory (Bandura, 1986) can be used as a theoretical framework for • studying experiences related to security behavior and • identifying factors that influence user’s behavior • It is based on a reciprocal relationship between: behavior, cognition and environmental factors
Social–Cognitive Theory • Figure: Social Cognitive Theory (Bandura, 1986) (Source: http://www.des.emory.edu/mfp/eff.html)
Framework for Studying User Behavior (con’t) • Applying the Theory: • The behavior of users of security systems depends on the individual’s cognitions and emotions by observing and exploiting the environment (e.g. other co-workers’ behavior). • It is expected that self-efficacy (belief to execute behavior to achieve an outcome) has strong influence with use of security systems
Framework for Studying User Behavior – Social-cognitive Theory • The Social-cognitive Theory also presents: • The possibility of learning from experience • And learning from the behavior of respected individuals like colleagues and leaders. • Finally, knowledge or information about security risks is expected to have impact on security related behavior of users.
Framework for Studying User Behavior – Social-cognitive Theory • Therefore, to study experience and factors influencing user behavior, a model should consider: • the personal characters of users including: • cognitive capacity; • socio-demographic factors, • attitudes, beliefs, values, experience, education and knowledge; • the environmental factors of users
Quiz • What SCT? • How can SCT be used in studying the behavior of Security systems?
Takeaway Slides - Summary • Analysts, designers, programmers and system administrators of information security systems need to consider facts about • human capability and • human behavior during their activities. • Security threats can arise from human errors and cognitive limitations during the installation, configuration, use and maintenance of these computer and information security systems
Summary - Human Capabilities • Demanding too much mental effort by users in operating the computer equates to less efficiency and more errors. • People often fail to recognize security risks or the information provided to them. • Users are not always capable of performing the right decisions regarding security • Security mechanisms such as encryption and authorization can be difficult for people to understand or use.
Summary -Human Capabilities Factors • Key factors are: sensors, attention, processor/information processing, memory, learning and mental models of users • Humans are multitasking, therefore, few tasks or decisions receive full attention at a given time.
Summary Human Capacity - Cognition Model • Human Cognition Model comprised of: • Senses, sensory store, short term memory, long-term memory and • processors. • Humans have limited capacity for information processing • Empirical model developed by Card, Moran and Newell in 1983 estimated various capabilities, decay times, etc.
Summary -Human Capabilities • Security threats can arise from human errors and cognitive limitations during the: • installation • configuration • use and maintenance of computers and information security systems.
Summary – Chunking • Chunking allows the brain to automatically group certain items together. • Human beings have a limited capacity of remembering up to seven pieces of independent information • These seven pieces of information are remembered with a single aspect and one exposure. Actually represents 7+/-2 “chunks,” or (7 plus or minus two pieces of information, or between 5 and 9 items)
Summary -Human Capability Knowledge • Knowledge of human capability helps: • predict what users will remember, retain, understand and use. • in understanding how to retain new security related knowledge and information in user’s Long Term Memory. • In using “chunking” when presenting security information and codes such as passwords and access codes.
Summary - Models • Designer and user mental models of security systems should match • Burden should be on the system designers to build user expectations into the system. • Accurate model lead to effective, efficient and satisfied customers…. • Inaccurate models lead to errors.