Iryna Yevseyeva, Charles Morisset, Thomas Groß, Aad van Moorsel


Information security decisions typically involve a trade-off between security and productivity. In practical settings, it is often the human user who is best positioned to make this trade-off decision, or in fact has a right to make its own decision (such as in the case of `bring your own device’), although it may be responsibility of a company security manager to influence employees choices. One of the practical ways to model human decision making is with multi-criteria decision analysis, which we use here for modeling security choices. The proposed decision making model facilitates quantitative analysis of influencing information security behavior by capturing the criteria affecting the choice and their importance to the decision maker. Within this model, we will characterize the optimal modification of the criteria values, taking into account that not all criteria can be changed. We show how subtle defaults influence the choice of the decision maker and calculate their impact. We apply our model to derive optimal policies for the case study of a public Wi-Fi network selection, in which the graphical user interface aims to influence the user to a particular security behavior. Keywords: security decision making, nudging, security-productivity trade-off, multi-criteria decision analysis Date: 11-12 September 2014 Presented: 11th European Workshop on Performance Engineering (EPEW 2014), 11-12 September 2014, Florence, Italy. Published: Computer Performance Engineering, LNCS, Springer. 8721, 2014, pp. 194-208. Publisher: Springer Full Text: