A Decision Making Model of Influencing Behavior in Information Security

  • Iryna Yevseyeva
  • Charles Morisset
  • Thomas Groß
  • Aad van Moorsel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8721)


Information security decisions typically involve a trade-off between security and productivity. In practical settings, it is often the human user who is best positioned to make this trade-off decision, or in fact has a right to make its own decision (such as in the case of ‘bring your own device’), although it may be responsibility of a company security manager to influence employees choices. One of the practical ways to model human decision making is with multi-criteria decision analysis, which we use here for modeling security choices. The proposed decision making model facilitates quantitative analysis of influencing information security behavior by capturing the criteria affecting the choice and their importance to the decision maker.Within this model, we will characterize the optimal modification of the criteria values, taking into account that not all criteria can be changed. We show how subtle defaults influence the choice of the decision maker and calculate their impact. We apply our model to derive optimal policies for the case study of a public Wi-Fi network selection, in which the graphical user interface aims to influence the user to a particular security behavior.


Decision Maker Information Security Criterion Weight Access Control Policy Impact Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aime, M., Calandriello, G., Lioy, A.: Dependability in wireless networks: Can we rely on WiFi? IEEE Security Privacy 5(1), 23–29 (2007)CrossRefGoogle Scholar
  2. 2.
    Belton, V., Stewart, T.: Multiple Criteria Decision Analysis: An Integrated Approach. Kluwer Academic Publishers, Dordrecht (2002)Google Scholar
  3. 3.
    Bishop, M.A.: The Art and Science of Computer Security. Addison-Wesley Longman Publishing Co., Inc., Boston (2003)Google Scholar
  4. 4.
    Bovens, L.: The ethics of nudge. In: Grüne-Yanoff, T., Hansson, S. (eds.) Preference Change: Approaches from Philosophy, Economics and Psychology. Philosophy and Methodology of Social Sciences, vol. 42, pp. 207–219. Springer, Theory and Decision Library (2009)Google Scholar
  5. 5.
    Chismon, D., Carter, T., Ruks, M., Hoggard, H.: Mobile devices: Guide for implementers. White paper, MWRInfoSecurity and Center for the Protection of National Infrastructure (CPNI), Basingstoke, UK (February 2013)Google Scholar
  6. 6.
    Choe, E.K., Jung, J., Lee, B., Fisher, K.: Nudging people away from privacy-invasive mobile apps through visual framing. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013, Part III. LNCS, vol. 8119, pp. 74–91. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Clarke, J., Hidalgo, M.G., Lioy, A., Petkovic, M., Vishik, C., Ward, J.: Consumerization of IT: Top risks and opportunities. ENISA deliverables, European Network and Information Security Agency (ENISA), European Network and Information Security Agency (ENISA) report (2012)Google Scholar
  8. 8.
    Farnham, G., Leune, K.: Tools and standards for cyber threat intelligence projects. Technical report, SANS Institute (2013)Google Scholar
  9. 9.
    Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G., Rivas, S.: Socio-technical study on the effect of trust and context when choosing WiFi names. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 131–143. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  10. 10.
    Goodwin, P., Wright, G.: Decision Analysis for Management Judgment, 4th edn. J. Wiley (2009)Google Scholar
  11. 11.
    Heilmann, C.: Success conditions for nudges: A methodological critique of libertarian paternalism. European Journal for Philosophy of Science 4(1), 75–94 (2014)CrossRefGoogle Scholar
  12. 12.
    AIDC worldwide mobile worker population 2010-2015 forecast. Technical report, IDC Australia (2012)Google Scholar
  13. 13.
    Kahneman, D.: Thinking, fast and slow. Farrar, Straus & Giroux, New York (2011)Google Scholar
  14. 14.
    Kahneman, D., Tversky, A.: Prospect theory: An analysis of decision under risk. Econometrica 47(2), 263–291 (1979)CrossRefzbMATHGoogle Scholar
  15. 15.
    Keeney, R., Raiffa, H.: Decisions with Multiple Objectives: Preferences and Value Tradeoffs. J. Wiley, New York (1976)Google Scholar
  16. 16.
    Kennedy, D., O’Gorman, J., Kearns, D., Aharoni, M.: Metasploit: The Penetration Tester’s Guide, 1st edn. No Starch Press, San Francisco (2011)Google Scholar
  17. 17.
    Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Formalization of influencing in information security. Technical Report CS-TR-1423, Newcastle University (May 2014)Google Scholar
  18. 18.
    Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Nudging for quantitative access control systems. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 340–351. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  19. 19.
    Seigneur, J.-M., Kölndorfer, P., Busch, M., Hochleitner, C.: A survey of trust and risk metrics for a BYOD mobile worker world. In: Proceedings of SOTICS 2013, pp. 82–91. IARIA (2013)Google Scholar
  20. 20.
    Servin, A., Kudenko, D.: Multi-agent reinforcement learning for intrusion detection: A case study and evaluation. In: Bergmann, R., Lindemann, G., Kirn, S., Pěchouček, M. (eds.) MATES 2008. LNCS (LNAI), vol. 5244, pp. 159–170. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Applying behavioural insights to reduce fraud, error and debt. Policy paper: Transforming government services to make them more efficient and effective for users, Cabinet Office, Behavioural Insights Team, UK (February 2012)Google Scholar
  22. 22.
    Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven (2008)Google Scholar
  23. 23.
    Turland, J., Coventry, L., Jeske, D., Briggs, P., Laing, C., Yevseyeva, I., van Moorsel, A.: Nudging towards security: Developing an application for wireless network selection for android phones (in preparation, 2014)Google Scholar
  24. 24.
    Yevseyeva, I., Morisset, C., Turland, J., Coventry, L., Groß, T., Laing, C., van Moorsel, A.: Consumerization of IT: Mitigating risky user actions and improving productivity with nudging. In: Proceeding of CENTERIS 2014 - Conference on ENTERprise Information Systems. Springer (accepted, 2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Iryna Yevseyeva
    • 1
  • Charles Morisset
    • 1
  • Thomas Groß
    • 1
  • Aad van Moorsel
    • 1
  1. 1.Centre for Cybercrime and Computer Security, School of Computing ScienceNewcastle UniversityNewcastle upon TyneUK

Personalised recommendations