Abstract
In general, in order to predict the impact of human behaviour on the security of an organisation, one can either build a classifier from actual traces observed within the organisation, or build a formal model, integrating known existing behavioural elements. Whereas the former approach can be costly and time-consuming, and it can be complicated to select the best classifier, it can be equally complicated to select the right parameters for a concrete setting in the latter approach. In this paper, we propose a methodical assessment of decision trees to predict the impact of human behaviour on the security of an organisation, by learning them from different sets of traces generated by a formal probabilistic model we designed. We believe this approach can help a security practitioner understand which features to consider before observing real traces from an organisation, and understand the relationship between the complexity of the behaviour model and the accuracy of the decision tree. In particular, we highlight the impact of the norm and messenger effects, which are well-known influencers, and therefore the crucial importance to capture observations made by the agents. We demonstrate this approach with a case study around tailgating. A key result from this work shows that probabilistic behaviour and influences reduce the effectiveness of decision trees and, importantly, they impact a model differently with regards to error rate, precision and recall.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bartsch, S., Sasse, M.A.: How users bypass access control and why: the impact of authorization problems on individuals and the organization (2012)
Beautement, A., Sasse, M.A., Wonham, M., The compliance budget: managing security behaviour in organisations. In: Proceedings of 2008 Workshop on New Security Paradigms, pp. 47–58. ACM (2009)
Blythe, J., Koppel, R., Smith, S.W.: Circumvention of security: good users do bad things. IEEE Secur. Priv. 11(5), 80–83 (2013)
Caufield, T., Parkin, S.: Case study: predicting the impact of a physical access control intervention. In: STAST (Socio-Technical Aspects of Security and Trust) (2016, in publication)
Caulfield, T., Pym, D.: Improving security policy decisions with models. IEEE Secur. Priv. 13(5), 34–41 (2015)
Cheh, C., Chen, B., Temple, W.G., Sanders, W.H.: Data-driven model-based detection of malicious insiders via physical access logs. In: Bertrand, N., Bortolussi, L. (eds.) QEST 2017. LNCS, vol. 10503, pp. 275–291. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66335-7_17
Cialdini, R.B., Garde, N.: Influence, vol. 3. A. Michel (1987)
Das, S., Kim, T.H.-J., Dabbish, L.A., Hong, J.I.: The effect of social influence on security sensitivity. In: Proceedings of SOUPS, vol. 14 (2014)
Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, R., Vlaev, I.: Influencing behaviour: the mindspace way. J. Econ. Psychol. 33(1), 264–277 (2012)
Dolan, P., Hallsworth, M., Halpern, D., King, D., Vlaev, I.: Mindspace: influencing behaviour for public policy (2010)
Frank, R.H.: If homo economicus could choose his own utility function, would he want one with a conscience? Am. Econ. Rev. 77, 593–604 (1987)
Gellert, A., Vintan, L.: Person movement prediction using hidden Markov models. Stud. Inform. Control 15(1), 17 (2006)
Michie, S., van Stralen, M.M., West, R.: The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implement. Sci. 6(1), 42 (2011)
Rao, H., Greve, H.R., Davis, G.F.: Fool’s gold: social proof in the initiation and abandonment of coverage by wall street analysts. Adm. Sci. Q. 46(3), 502–526 (2001)
Shaw, R.S., Chen, C.C., Harris, A.L., Huang, H.-J.: The impact of information richness on information security awareness training effectiveness. Comput. Educ. 52(1), 92–100 (2009)
Thaler, R.H.: From homo economicus to homo sapiens. J. Econ. Perspect. 14(1), 133–141 (2000)
Tristanc: SysModels Package, February 2017. https://github.com/tristanc/SysModels. Accessed 08 June 2017
Uebelacker, S., Quiel, S.: The social engineering personality framework. In: 2014 Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 24–30. IEEE (2014)
Witten, I.H., Frank, E., Hall, M.A., Pal, C.J.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, Burlington (2016)
Zhu, F., Carpenter, S., Kulkarni, A., Kolimi, S.: Reciprocity attacks. In: Proceedings of 7th Symposium on Usable Privacy and Security, p. 9. ACM (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A Additional Results
Appendix A Additional Results
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Carmichael, P., Morisset, C. (2018). Learning Decision Trees from Synthetic Data Models for Human Security Behaviour. In: Cerone, A., Roveri, M. (eds) Software Engineering and Formal Methods. SEFM 2017. Lecture Notes in Computer Science(), vol 10729. Springer, Cham. https://doi.org/10.1007/978-3-319-74781-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-74781-1_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74780-4
Online ISBN: 978-3-319-74781-1
eBook Packages: Computer ScienceComputer Science (R0)