Choice Architecture for Information Security
The main goal of the ChaISE project is to create a rigorous choice architecture, that will nudge decision makers to make demonstrably better information security decisions. Achieving this goal requires:
- An in-depth understanding of the psychological phenomena that dictates security behaviour that is relevant to data loss protection in consumerization, for all relevant decision makers (CISOs, IT administrators and employees).
- The creation of a choice architecture based on rigorous underlying assessment techniques (measurement, experimental evidence or models), which expose the impact of uncertainty and optimizes for the value of rigour.
- The design and implementation of a set of stealth tools that implement the choice architecture and steer the decision-making to “better” decisions. Our priority is to reach an optimal trade-off between security and productivity.
- Evaluation of the stealth tools to ensure they deliver improved security decisions and behaviour.
This work will be carried out within the context of consumerisation – the growing trend of companies allowing their employees to bring their own devices, (BYOD) to work, and usage of company-owned mobile devices outside of the security perimeter of the company. This is possibly the main challenge that IT departments face in the coming years, to keep the workplace secure as the boundaries between work and personal life become more blurred. Depending on the enterprise, doing the “right thing” may result in different policies. The project will work with large organisations and SMEs through well-established channels. It will demonstrate the benefits of the advocated choice architecture through a case study in an SME.
Our work takes inspiration from the work on nudging in the behavioural economics community, which provides a framework to influence decision makers as effectively as possible. In particular, we need to develop tools and techniques to form a choice architecture tailored to information security. Information security has particular well-known characteristics, which we will exploit to provide sufficient rigour underlying the choice architecture. In particular, the project will establish rigorous mathematical approaches to include uncertainty about unknowns in our analysis, and will derive a theory about the ‘value of rigour’, allowing experts to judge which elements of rigour pay off further investment.
Our work seeks to understand how people make decisions regarding their security and privacy. This is achieved by examining the psychological factors involved in decision-making and subsequent behaviours which will provide the foundation for nudges aimed at modifying or changing individuals’ behaviours that compromise their companies privacy and cyber security. Instead of forcing more and more rigid security policies on employees, we will identify and employ nudging strategies. Nudges make use of social, personal and environmental factors known to influence human behaviour. Nudges take various forms including gentle reminders about potential risks, to reordering options, to showing the options selected by other members of staff, to making the secure option the default and most preferred option. We are particularly interested in understanding the relationship between security behaviours and perceptions of data ownership and company citizenship.
In order to meet our goal, the research team includes a multi-disciplinary team from the area of Human-Computer Interaction, Psychology, and Computing from Newcastle University and Northumbria University. In particular, it involves researchers from Northumbria University’s Psychology and Communication Technology (PaCT) Lab and Warning, Advice & Reporting Point (nuWARP), in collaboration with Newcastle University’s School of Computing Science and Centre for Cybercrime and Computer Security (CCCS).