The Role of Human Factors/Ergonomics in the Science of Security

Proctor, Robert W.; Chen, Jing

doi:10.1177/0018720815585906

Cited by 60 publications

(32 citation statements)

References 36 publications

(38 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, the time it takes to develop and build cybersecurity capabilities is a major source of delays, often taking years. Human factors play a crucial role in cybersecurity [63], and recent analyses show that employees are often the weakest link in an organization with regard to cybersecurity [64].…”

Section: Complex Systems and Delays In Building Cybersecurity Capabilmentioning

confidence: 99%

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Jalali

Siegel

Madnick

2019

The Journal of Strategic Information Systems

View full text Add to dashboard Cite

We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1,479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity. development. albeit inadvertently-introduce new, more subtle vulnerabilities. Research also suggests that attackers in cyberspace are not only rational and motivated by economic incentives [6], but also act strategically in identifying targets and approaches [7]-in other words, "The good guys are getting better, but the bad guys are getting badder faster" [8]. Perhaps there was a time a decade ago when cybersecurity was only a matter of "if" an organization was going to be compromised, but today it has become a question of "when," and "at what level."Despite the proliferation of cyberattack capabilities and their potential implications, many organizations still perform poorly with respect to cybersecurity management. These companies ignore or underestimate cyber risks, or rely solely on generic off-the-shelf cybersecurity solutions. A mere 19% of chief information security officers (CISOs) are confident that their companies can effectively address a cybersecurity incident [9]. In May 2017, the WannaCry ransomware attack-a type of malware that blocks access to computer systems until a ransom is paid-affected companies worldwide, even though a patch for the exploited Windows vulnerabilities had been made available by Microsoft months earlier in March 2017 [10]. As data grows in size and value, the increase of cyber risks and escalation of privacy concerns demand that managers improve their approach to cybersecurity capability development-interventions to build such capabilities typically include improvements to technology already in place, in addition to the purchase of new technology, talent acquisition, and training, among other activities. Research objective and approachThe importance of being proactive in cybersecurity capability development is well understoodit is more cost effective than taking a reactionary approach and reduces failure rates [11].Although many executives and decision-makers are becoming aware of the significance of cybersecurity, a major question remains unanswered: Are experienced managers more proactive than inexperienced individuals in building cybersecurity capabilities? F...

show abstract

Section: Complex Systems and Delays In Building Cybersecurity Capabilmentioning

confidence: 99%

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Jalali

Siegel

Madnick

2019

The Journal of Strategic Information Systems

View full text Add to dashboard Cite

show abstract

“…Unfortunately, researchers have neglected human operators' response behavior in earlier cyber security research (Mancuso et al, 2014;Proctor and Chen, 2015). Horowitz and Lucero (2016) and Heiges et al (2015) used a scenario with a manipulated navigation system showing false waypoints.…”

Section: A Human Factors Approach To Cyber-attacksmentioning

confidence: 99%

Are pilots prepared for a cyber-attack? A human factors approach to the experimental evaluation of pilots' behavior

Gontar

Homans

Rostalski

et al. 2018

Journal of Air Transport Management

View full text Add to dashboard Cite

A B S T R A C TThe increasing prevalence of technology in modern airliners brings not just advantages, but also the potential for cyber threats. Fortunately, there have been no significant attacks on civil aircraft to date, which allows the handling of these emerging threats to be approached proactively. Although an ample body of research into technical defense strategies exists, current research neglects to take the human operator into account. In this study, we present an exploratory experiment focusing on pilots confronted with a cyber-attack. Results show that the occurrence of an attack affects all dependent variables: pilots' workload, trust, eye-movements, and behavior. Pilots experiencing an attack report heavier workload and weakened trust in the system than pilots whose aircraft is not under attack. Further, pilots who experienced an attack monitored basic flying instruments less and their performance deteriorated. A warning about a potential attack seems to moderate several of those effects. Our analysis prompts us to recommend incorporating cyber-awareness into pilots' recurrent training; we also argue that one has to consider all affected personnel when designing such training. Future research should target the development of appropriate procedures and training techniques to prepare pilots to correctly identify and respond to cyber-attacks.

show abstract

“…For instance, the time it takes to develop and build cybersecurity capabilities is a major source of delays, often taking years, as well as the delay in training employees. Human factors play a crucial role in cybersecurity [60], and recent analyses show that employees are often the weakest link in an organization with regard to cybersecurity [61]. As a result, organizations are urged to consider investing in cybersecurity training as a top priority [62], and to encourage protection-motivated behaviors [63,64].…”

Section: Complex Systems and Delays In Building Cybersecurity Capabilmentioning

confidence: 99%

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

2017

View full text Add to dashboard Cite

Abstract:We developed a simulation game to study how well decision makers understand two fundamental aspects of complexity in cybersecurity: potential delays in building capabilities, and uncertainties in predicting cyber-incidents. Analyzing 1,479 simulation runs, we compared the performances of a group of experienced professionals to an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects. Both groups also exhibited similar errors when dealing with the uncertainty of cyber-incidents. Our findings highlight the importance of training for decision-makers, and lay the groundwork for future research in uncovering mental biases about the complexities of cybersecurity.

show abstract

The Role of Human Factors/Ergonomics in the Science of Security

Abstract: Human factors specialists should utilize their foundation in the science of applied information processing and decision making to contribute to the science of cybersecurity.

Cited by 60 publications

References 36 publications

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Are pilots prepared for a cyber-attack? A human factors approach to the experimental evaluation of pilots' behavior

Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

Contact Info

Product

Resources

About