Download or read book Quantifying the Effect of Cognitive Biases on Security Decision-making written by Tahani Albalawi and published by . This book was released on 2018 with total page 188 pages. Available in PDF, EPUB and Kindle. Book excerpt: Recently, characteristics of human behavior have created a new important source for attackers. The attackers' attention shifted from the direct machine attacks that require breaking the underlying cryptography to target human vulnerability to get access to the information. Despite problems that human vulnerability has created, the human role has received too little attention in security domain. The role of humans is often neglected in favor of technical solutions in the cyber security equation. This may be due to a lack of understanding of human vulnerability. The technical side is clearly an essential part of cyber security, but people are also strongly involved in the information security. The technical side is more identifiable but human behavior is still very important. Fortunately, Social Engineering Security is changing the way we look at computer security. The main pillar of this field is how human psychological factors can influence humans to make bad or irrational decisions. People's irrational judgments (human error) are often caused by cognitive biases (CB) which are tendencies to think irrationally in certain types of situations. The awareness of CB goes back to the early 1970s when the psychologists Kahneman and Tversky showed there might be a gap between how humans should make a decision and how they actually make a decision. CB is often connected with two aspects first, some limitation in processing knowledge that caused by the Cognitive load (CL), which is related to human neutrality and the second aspect, is the usability of the system. Usability of a system is one of the causes of people's biases in decisions. On the other hand people's security decisions in the domain of cyber security are also closely tied to usability. The mismatch between security and usability goals contributes to making inappropriate security-related decisions. Clearly, we can see that the security decision-making is a result of three overlapping factors: security, usability and CB. Studies have been focused on evaluating the security polices and techniques. The focus of these evaluations is on the intentional threats that result from a malicious intent of access. The unintentional threat that results from human error has not received the necessary attention. Thus, this study focuses on the security threats that relate to human error with the non-malicious and legal intent. This dissertation has several contributions to current research in the security field: First, it pays attention to the security threats that relate to human error and result from non-malicious legal intent. It addresses the human error that leads to the unintentional threat by exploring human cognitive processes in the context of cyber security. Since the human error is resulting from three overlapping factors, security, usability and CB, this research also studies the relation between these factors. It explores the links between security decision-making and usability, as well as illustrating the cognitive processing and reasoning behind the end-user decision by depicting the concept set that leads the end-user to make a specific decision. For this part, a mental model has been proposed for peoples' decision-making toward security and usability. To construct the model, a crowd-sourcing technique and a cognitive map approach are used, and an experiment is performed to evaluate the findings using Amazon Mturk. Second, this dissertation quantifies the individual's security decision-making under the influence of cognitive biases, with full consideration of usability factors. For these purposes, another experiment is conducted involving 54 participants who performed multiple security tasks. An eye-tracking machine is used to record cognitive measurements that are used for decision analysis. The proposed model for security decision is derived from the Multi Criteria Decision Analysis (MCDA) approach. In the decision-making context, the MCDA is a technique, which provides formal methods to analyze decisions that involve different or contradicting factors.