Information security decisions are often made without any formal or rigorous backing. For instance, data about impact or likelihood of security breaches is rarely available. Careful prediction, for instance using monte carlo simulation, is often ommitted. It is natural, but also somewhat easy, to say that we need more rigorous techniques when we make information security decision. In the investigator's own work the following key challenges remain unresolved.
First, rigorous approaches may introduce a false sense of security to decision-makers by not fully disclosing assumptions to decision makers (e.g, a model may assume a restricted attack scenario). Secondly, one may invest in perfecting the rigorous aspect without gaining too much more information; that is, the value of the added rigour may not lead to better decisions. This violates Buffett's mantra to better be approximately right than precisely wrong. Thirdly, decision-makers tend to ignore the information they receive through rigorous assessment, unless it validates the decision they already intended to make.
To address these issues, we take inspiration from the work on nudging in the behavioural economics community, which provides a framework to influence decision makers as effectively as possible. In particular, we need tools and techniques to form a choice architecture tailored to information security. Information security has particular well-known characteristics, which we will exploit to provide sufficient rigour underlying the choice architecture. In particular, the project will establish rigorous mathematical approaches to include uncertainty about unknowns in our analysis, and will derived a theory about the 'value of rigour', allowing experts to judge which elements of rigour pay off further investment.
We do our research in connection to one overarching information security issue of high practical importance, namely 'consumerization', that is, the use in the workplace of people's own technologies. This is possibly the main challenge that IT departments face in the coming years, to keep the workplace secure as the boundaries between work and personal life become more blurred. Depending on the enterprise, doing the "right thing" may result in different policies. The project will work with large organisations and SMEs through well-established channels. It will demonstrate the benefits of the advocated choice architecture through a case study in an SME.
In very concrete terms, a possible outcome that an end user may experience as result of the project is as follows. Our research in the psychology of choice may reveal that a sense of ownership of data contributes to better security behaviour of employees. Quantitative techniques underlying the choice architecture measure the frequency with which an employee uses the phone for this purpose. Nudging tools are installed both as a mobile phone application and as a desktop tool for the CISO. For example, the tool for employees may be a mobile app that visually displays the consequence of data loss from the perspective of the employee, for instance in terms of how success in their job may be at stake. It makes strategic use of opt-outs and opt-ins to nudge the employee to balance security and productivity based on an underlying predictive model. The nudging tool for the CISO may be a desktop tool that provides the latest data and can be configured for a particular part of the organisation. The CISO tool carefully protects against a false sense of security by presenting the risk of unknowns and helps the CISO understand what data and which underlying assessment or decision-making would help improve the decision-making most.