Formalization of Influencing in Information Security

Information security decisions typically involve a trade-off between security and productivity. In practical settings it is often the human/user who is best positioned to make this trade-off decision, or in fact has a right to make its own decision (such as in the case of 'bring your own device'). It then may be useful to discuss approaches which aim to influence the user decision, while leaving end responsibility with the user. This is often referred to as nudging the user, or, more generally, as influencing human behavior. The main aim of this paper is to provide a generic formalization to facilitate rigorous quantitative analysis of influencing information security behavior, providing a theoretical basis for studying, optimizing, comparing and evaluating approaches. In particular, we propose an agent-based formalization that captures the human decision maker as well as the influencer and the relationship between them. Within this formalization we will characterize an optimal policy for influencing and formally prove that such policies are optimal. We then embed multi-criteria decision making into our formalism as an approach to model human behavior and to choose between alternatives. We apply our formalization by deriving optimal policies for the selection of WiFi networks, in which the graphical user interface aims to nudge the user to particular security behavior. © 2014 Newcastle University. Printed and published by Newcastle University, Computing Science, Claremont Tower, Claremont Road, Newcastle upon Tyne, NE1 7RU, England. Bibliographical details MORISSET, C., YEVSEYEVA, I., GROß, T., VAN MOORSEL, A. Formalization of Influencing in Information Security [By] C. Morisset, I. Yevseyeva, T. Groß, and A. van Moorsel Newcastle upon Tyne: Newcastle University: Computing Science, 2014. (Newcastle University, Computing Science, Technical Report Series, No. CS-TR-1423)